From heas at shrubbery.net Fri Oct 1 00:38:49 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 30 Sep 2010 17:38:49 -0700 Subject: [rancid] Like to make use of ssh keyfile/passphrase for ssh login to nexus boxes In-Reply-To: <4CA43F0F.3020805@chalmers.se> References: <4CA43E04.8010000@chalmers.se> <4CA43F0F.3020805@chalmers.se> Message-ID: <20101001003849.GH10490@shrubbery.net> Thu, Sep 30, 2010 at 09:41:03AM +0200, Per-Olof Olsson: >> Hello >> >> >> Added same code as in hlogin/jlogin to clogin. >> Looks like it works nice for nexus 5k w/wo keyfile/passphrase, and >> still for some Cisco ios switches/routers using ssh without >> keyfile/passphrase. I can't test all other boxes that make use use of >> the clogin file. But what I can see, most part of code depends on ssh >> client in the "rancid server" and not script code handling switches and >> routers. >> Note for hlogin: >> Missing usage help text for "-r passphrase" option after adding >> keyfile/passphrase to hlogin. got it. thanks. >> Is this for the TODO list? >> Make all ssh aware *login script keyfile/passphrase ready. It isn't, since it only applies to devices that can use keys, which didnt apply to cisco/clogin before. Have others grown this capability? they should all accept -r, and ignore it if it isnt supported. From tias at netnod.se Fri Oct 1 07:28:46 2010 From: tias at netnod.se (Mathias Wolkert) Date: Fri, 01 Oct 2010 09:28:46 +0200 Subject: [rancid] hlogin hangs after "Press any key" In-Reply-To: <20100928231257.GE23669@shrubbery.net> References: <20100928231257.GE23669@shrubbery.net> Message-ID: <4CA58DAE.6080507@netnod.se> On 9/29/10 1:12 AM, john heasley wrote: > Tue, Sep 28, 2010 at 10:39:59AM +0200, Mathias Wolkert: >> Hi all >> >> I'm new to rancid and have an issue. >> All ciscos, quaggas and brocades are working as expected and I'm very happy. >> Unfortunately I have a bunch of procurves and can't get them in line. >> >> I run debian lenny and the provided package rancid-core-2.3.2~a8-4. >> I just dl:ed rancid-2.3.5.tar.gz, compiled and tried the fresher hlogin with same result. > and updated hpuifilter? Eh, no. What do I need to do? >> It logs in alright but hangs after the license banner and the "Press any key to continue" >> with the prompt "hostname>" until it times out. >> >> Google has not given me any help but my fingers are fairly big... >> >> Any help is much appreciated. >> >> /Tias >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss /Tias From W.Fuertbauer at asamer.at Fri Oct 1 07:34:15 2010 From: W.Fuertbauer at asamer.at (=?iso-8859-1?Q?F=FCrtbauer_Wolfgang?=) Date: Fri, 1 Oct 2010 09:34:15 +0200 Subject: [rancid] fortinet problem In-Reply-To: <20100930191501.GO10490@shrubbery.net> References: <47CE942B4E710145A27E5339D5B34E0101059CB8@aohexchange01.asamer.holding.ah> <20100930191501.GO10490@shrubbery.net> Message-ID: <47CE942B4E710145A27E5339D5B34E0101059CDA@aohexchange01.asamer.holding.ah> Dear John, Output of nlogin is: rancid at aohmonitoring01:~> nlogin spawn ssh -c 3des -x -l monitoring monitoring@'s password: FGT50A3906508751 # FGT50A3906508751 # Timeout exit Connection to closed. rancid at aohmonitoring01:~> If seen a lot of discussion about fortinet and rancid and it seams There are some patches around - but I was not able to find them :( Probably one of the fellow collegues can guide me?! Thanks in advance Wolfgang Wolfgang F?rtbauer Leitung IT ASAMER Holding AG Unterthalham Strasse 2 4694 Ohlsdorf AUSTRIA tel +43 50 799 - 2500 fax +43 7612 799 - 9526 mobile +43 664 8332326 w.fuertbauer at asamer.at www.asamer.at This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message by mistake, please advise the sender. -----Urspr?ngliche Nachricht----- Von: john heasley [mailto:heas at shrubbery.net] Gesendet: Donnerstag, 30. September 2010 21:15 An: F?rtbauer Wolfgang Betreff: Re: [rancid] fortinet problem Thu, Sep 30, 2010 at 04:36:35PM +0200, F?rtbauer Wolfgang: > Dear collegues, > > running rancid 2.3.4 with HP and CISCO without problems. > Now I want to add my fortigate devices - but it does not work :( > > .cloginrc: > add user > add password > add method ssh > add autoenable 0 > > router.db: > :fortigate:up > > with rancid-run it hangs and I get the following errormessages: > > Trying to get all of the configs. > : missed cmd(s): show,get system status > 0: found end > : End of run not found i am not familiar with fortigate. but, you probably want to start by verifying that nlogin works for the device, as suggested in the RANCID FAQ section 3. From heas at shrubbery.net Fri Oct 1 15:56:45 2010 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Oct 2010 08:56:45 -0700 Subject: [rancid] fortinet problem In-Reply-To: <47CE942B4E710145A27E5339D5B34E0101059CDA@aohexchange01.asamer.holding.ah> References: <47CE942B4E710145A27E5339D5B34E0101059CB8@aohexchange01.asamer.holding.ah> <20100930191501.GO10490@shrubbery.net> <47CE942B4E710145A27E5339D5B34E0101059CDA@aohexchange01.asamer.holding.ah> Message-ID: <20101001155645.GB24164@shrubbery.net> Fri, Oct 01, 2010 at 09:34:15AM +0200, F?rtbauer Wolfgang: > Dear John, > > Output of nlogin is: > > rancid at aohmonitoring01:~> nlogin > > spawn ssh -c 3des -x -l monitoring > monitoring@'s password: > FGT50A3906508751 # > FGT50A3906508751 # Timeout wie geht es. nlogin looks for the prompt to end with "-> "; why is it "#" here? ISTR someone saying that the format had changed and trying to understand when and under what circumstances, but not being able to verify. From istong at costar.com Fri Oct 1 17:19:30 2010 From: istong at costar.com (Ian Stong) Date: Fri, 1 Oct 2010 13:19:30 -0400 Subject: [rancid] HP Procurve 2810 with rancid v2.3.1 In-Reply-To: <20100930181007.GL10490@shrubbery.net> References: <20100908230934.GF28099@shrubbery.net> <20100930181007.GL10490@shrubbery.net> Message-ID: Hi, Hpuifilter is in the rancid/bin directory - which is in the path of both my shell and in the rancid.conf file. I still get the following error: hpuifilter: execlp() failed: No such file or directory Error: Couldn't login Other ideas? Ian -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, September 30, 2010 2:10 PM To: Ian Stong Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] HP Procurve 2810 with rancid v2.3.1 Thu, Sep 30, 2010 at 12:31:55PM -0400, Ian Stong: > Hi, > > I am trying to get rancid v2.3.1 on freebsd to work with my HP procurve > switches using SSH. When I use clogin it logs in but hangs at the Press > any key to continue prompt. And hlogin returns an error of: > > hpuifilter: execlp() failed: No such file or directory > Error: Couldn't login make sure that the PATH of the shell running hlogin include the location of hpuifilter. if its via rancid-run, make sure its in the PATH within rancid.conf > Is it possible to get this working under v2.3.1 of rancid? I'm nervous > about upgrading to 2.3.5 and breaking something. Anyone have it working > with v2.3.1? > > If upgrading is the only option, what is the recommended path to be able > to rollback if the upgrade doesn't go well? Is it as simple as backing > up the /home/rancid directories or are there libraries and binaries > strewn throughout the system? i think fbsd puts rancid stuff in /usr/local/bin and /usr/local/libexec/rancid From jmadrid2 at gmail.com Fri Oct 1 19:58:56 2010 From: jmadrid2 at gmail.com (Jose Madrid) Date: Fri, 1 Oct 2010 15:58:56 -0400 Subject: [rancid] Foundry STACKID Message-ID: I have a few Foundry FLS648's on which I currently run Rancid. When output the "show version" on this device, the STACKID line changes everytime because it includes the uptime. This means that a change is picked up everything Rancid runs. I have found the section of francid which parses the output of show version, but not sure what exactly to edit to make it ignore this line. Any help? - !STACKID 1 system uptime is 21 days 17 hours 31 minutes 36 seconds + !STACKID 1 system uptime is 21 days 20 hours 31 minutes 31 seconds -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? -------------- next part -------------- An HTML attachment was scrubbed... URL: From W.Fuertbauer at asamer.at Sat Oct 2 06:39:40 2010 From: W.Fuertbauer at asamer.at (=?iso-8859-1?Q?F=FCrtbauer_Wolfgang?=) Date: Sat, 2 Oct 2010 08:39:40 +0200 Subject: [rancid] fortinet problem References: <47CE942B4E710145A27E5339D5B34E0101059CB8@aohexchange01.asamer.holding.ah> <20100930191501.GO10490@shrubbery.net> <47CE942B4E710145A27E5339D5B34E0101059CDA@aohexchange01.asamer.holding.ah> <20101001155645.GB24164@shrubbery.net> Message-ID: <47CE942B4E710145A27E5339D5B34E01BC0A6B@aohexchange01.asamer.holding.ah> Dear John, I finally found the patch: http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html and applied it (manually) against my rancid-2.3.4. It's working! Thanks a lot Diego! Probalby this patch could be added to the main code?! to answer your question John: the prompt ends with a '#' for readonly-users and a '$' for read-write users BR Wolfgang Wolfgang F?rtbauer Leitung IT ASAMER Holding AG Unterthalham Strasse 2 4694 Ohlsdorf AUSTRIA tel +43 50 799 - 2500 fax +43 7612 799 - 9526 mobile +43 664 8332326 w.fuertbauer at asamer.at www.asamer.at This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message by mistake, please advise the sender. -----Urspr?ngliche Nachricht----- Von: john heasley [mailto:heas at shrubbery.net] Gesendet: Fr 01.10.2010 17:56 An: F?rtbauer Wolfgang Cc: john heasley; rancid-discuss at shrubbery.net Betreff: Re: [rancid] fortinet problem Fri, Oct 01, 2010 at 09:34:15AM +0200, F?rtbauer Wolfgang: > Dear John, > > Output of nlogin is: > > rancid at aohmonitoring01:~> nlogin > > spawn ssh -c 3des -x -l monitoring > monitoring@'s password: > FGT50A3906508751 # > FGT50A3906508751 # Timeout wie geht es. nlogin looks for the prompt to end with "-> "; why is it "#" here? ISTR someone saying that the format had changed and trying to understand when and under what circumstances, but not being able to verify. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: asamer-logo.GIF Type: image/gif Size: 2032 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-2.3.4_fortigate_2x-3x.patch Type: text/x-patch Size: 29550 bytes Desc: rancid-2.3.4_fortigate_2x-3x.patch URL: From jethro.binks at strath.ac.uk Sat Oct 2 10:14:47 2010 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Sat, 2 Oct 2010 11:14:47 +0100 (BST) Subject: [rancid] Foundry STACKID In-Reply-To: References: Message-ID: On Fri, 1 Oct 2010, Jose Madrid wrote: > I have a few Foundry FLS648's on which I currently run Rancid. When > output the "show version" on this device, the STACKID line changes > everytime because it includes the uptime. This means that a change is > picked up everything Rancid runs. I have found the section of francid > which parses the output of show version, but not sure what exactly to > edit to make it ignore this line. Any help? > > - !STACKID 1 system uptime is 21 days 17 hours 31 minutes 36 seconds > + !STACKID 1 system uptime is 21 days 20 hours 31 minutes 31 seconds I don't have this model, but assuming the STACKID number is useful to have, the line in the following line should fix this, which is certainly in my copy of francid, but not sure if it is in the current distribution (mines a bit of a mangled copy, and can't check the repository just now). It's in the ShowVersion function: s/^\s*(HW|SW)/$1/; s/^\s*(Compiled on)/SW: $1/; s/^\s*(\(\d+ bytes\) from )/SW: $1/; # remove uptime on newer switches s/(STACKID \d+)\s+system uptime is.*$/$1/; So try editing francid to add the last line. While we're talking Foundry, someone mailed rancid@ the other day with another Foundry-related patch and asked about others that had been sent; can you please make yourself known to me, thanks (I didn't keep the message, rashly). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From heas at shrubbery.net Sat Oct 2 14:38:10 2010 From: heas at shrubbery.net (john heasley) Date: Sat, 2 Oct 2010 07:38:10 -0700 Subject: [rancid] fortinet problem In-Reply-To: <47CE942B4E710145A27E5339D5B34E01BC0A6B@aohexchange01.asamer.holding.ah> References: <47CE942B4E710145A27E5339D5B34E0101059CB8@aohexchange01.asamer.holding.ah> <20100930191501.GO10490@shrubbery.net> <47CE942B4E710145A27E5339D5B34E0101059CDA@aohexchange01.asamer.holding.ah> <20101001155645.GB24164@shrubbery.net> <47CE942B4E710145A27E5339D5B34E01BC0A6B@aohexchange01.asamer.holding.ah> Message-ID: <20101002143810.GA16269@shrubbery.net> Sat, Oct 02, 2010 at 08:39:40AM +0200, F?rtbauer Wolfgang: > Dear John, > > I finally found the patch: > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html > and applied it (manually) against my rancid-2.3.4. > It's working! Thanks a lot Diego! > > Probalby this patch could be added to the main code?! > > to answer your question John: the prompt ends with a '#' for readonly-users > and a '$' for read-write users Thanks. When did this change from '->'? is there a need to support the old prompt? > BR > Wolfgang > > > > Wolfgang F?rtbauer > Leitung IT > > ASAMER Holding AG > Unterthalham Strasse 2 > 4694 Ohlsdorf > AUSTRIA > tel +43 50 799 - 2500 > fax +43 7612 799 - 9526 > mobile +43 664 8332326 > w.fuertbauer at asamer.at > www.asamer.at > > > This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this > message by mistake, please advise the sender. > > > > -----Urspr?ngliche Nachricht----- > Von: john heasley [mailto:heas at shrubbery.net] > Gesendet: Fr 01.10.2010 17:56 > An: F?rtbauer Wolfgang > Cc: john heasley; rancid-discuss at shrubbery.net > Betreff: Re: [rancid] fortinet problem > > Fri, Oct 01, 2010 at 09:34:15AM +0200, F?rtbauer Wolfgang: > > Dear John, > > > > Output of nlogin is: > > > > rancid at aohmonitoring01:~> nlogin > > > > spawn ssh -c 3des -x -l monitoring > > monitoring@'s password: > > FGT50A3906508751 # > > FGT50A3906508751 # Timeout > > wie geht es. nlogin looks for the prompt to end with "-> "; why is it "#" > here? ISTR someone saying that the format had changed and trying to > understand when and under what circumstances, but not being able to verify. > Content-Description: rancid-2.3.4_fortigate_2x-3x.patch > --- rancid-2.3.4/bin/Makefile.in 2010-10-02 08:31:22.000000000 +0200 > +++ rancid-patch/bin/Makefile.in 2010-10-02 08:29:48.000000000 +0200 > @@ -54,7 +54,7 @@ > $(srcdir)/hlogin.in $(srcdir)/hrancid.in $(srcdir)/htlogin.in \ > $(srcdir)/htrancid.in $(srcdir)/jerancid.in \ > $(srcdir)/jlogin.in $(srcdir)/jrancid.in $(srcdir)/mrancid.in \ > - $(srcdir)/mrvlogin.in $(srcdir)/mrvrancid.in \ > + $(srcdir)/mrvlogin.in $(srcdir)/mrvrancid.in $(srcdir)/fnlogin.in \ > $(srcdir)/nlogin.in $(srcdir)/nrancid.in $(srcdir)/nslogin.in \ > $(srcdir)/nsrancid.in $(srcdir)/nxrancid.in $(srcdir)/par.in \ > $(srcdir)/prancid.in $(srcdir)/rancid-fe.in \ > @@ -75,7 +75,7 @@ > arancid arrancid avologin avorancid blogin brancid cat5rancid \ > clogin rancid cssrancid elogin erancid f5rancid f10rancid \ > flogin francid fnrancid hlogin hrancid htlogin htrancid jlogin \ > - jrancid jerancid mrancid mrvlogin mrvrancid nlogin nrancid \ > + jrancid jerancid mrancid mrvlogin mrvrancid fnlogin nlogin nrancid \ > nslogin nsrancid nxrancid prancid rivlogin rivrancid rrancid \ > srancid tlogin tntlogin tntrancid trancid xrancid xrrancid \ > zrancid > @@ -247,7 +247,7 @@ > blogin brancid cat5rancid clogin control_rancid cssrancid \ > elogin erancid f5rancid f10rancid flogin fnrancid francid \ > hlogin hrancid htlogin htrancid jerancid jlogin jrancid \ > - mrancid mrvlogin mrvrancid nlogin nrancid nslogin nsrancid \ > + mrancid mrvlogin mrvrancid fnlogin nlogin nrancid nslogin nsrancid \ > nxrancid par prancid rancid-fe rancid rivlogin rivrancid \ > rrancid srancid tlogin tntlogin tntrancid trancid xrancid \ > xrrancid zrancid lg.cgi lgform.cgi rancid-cvs rancid-run > @@ -383,6 +383,8 @@ > cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > mrvrancid: $(top_builddir)/config.status $(srcdir)/mrvrancid.in > cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > +fnlogin: $(top_builddir)/config.status $(srcdir)/fnlogin.in > + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > nlogin: $(top_builddir)/config.status $(srcdir)/nlogin.in > cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > nrancid: $(top_builddir)/config.status $(srcdir)/nrancid.in > --- rancid-2.3.4/bin/fnlogin.in 1970-01-01 01:00:00.000000000 +0100 > +++ rancid-patch/bin/fnlogin.in 2010-10-02 08:29:48.000000000 +0200 > @@ -0,0 +1,591 @@ > +#! @EXPECT_PATH@ -- > +## > +## $Id: fnlogin.in,v 1.51 2009/04/16 21:22:58 heas Exp $ > +## patched to accomplish fortinet from nlogin > +## by: Daniel G. Epstein > +## adapted by: Diego Ercolani > +## > +## @PACKAGE@ @VERSION@ > +## Copyright (c) 1997-2009 by Terrapin Communications, Inc. > +## All rights reserved. > +## > +## This code is derived from software contributed to and maintained by > +## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan, > +## Pete Whiting, Austin Schutz, and Andrew Fort. > +## > +## Redistribution and use in source and binary forms, with or without > +## modification, are permitted provided that the following conditions > +## are met: > +## 1. Redistributions of source code must retain the above copyright > +## notice, this list of conditions and the following disclaimer. > +## 2. Redistributions in binary form must reproduce the above copyright > +## notice, this list of conditions and the following disclaimer in the > +## documentation and/or other materials provided with the distribution. > +## 3. All advertising materials mentioning features or use of this software > +## must display the following acknowledgement: > +## This product includes software developed by Terrapin Communications, > +## Inc. and its contributors for RANCID. > +## 4. Neither the name of Terrapin Communications, Inc. nor the names of its > +## contributors may be used to endorse or promote products derived from > +## this software without specific prior written permission. > +## 5. It is requested that non-binding fixes and modifications be contributed > +## back to Terrapin Communications, Inc. > +## > +## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS > +## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED > +## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > +## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS > +## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > +## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > +## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > +## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > +## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > +## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE > +## POSSIBILITY OF SUCH DAMAGE. > +# > +# The expect login scripts were based on Erik Sherk's gwtn, by permission. > +# > +# Netscreen hacks implemented by Stephen Gill . > +# Fortinet hacks by Daniel G. Epstein > +# > +# fnlogin - fortinet login > +# > +# Most options are intuitive for logging into a netscreen firewall. > +# > +# Misc notes > +# netscreen does not have the concept of "enable", once logged in, a > +# users permissions can not change. > + > +# Usage line > +set usage "Usage: $argv0 \[-dSV\] \[-c command\] \[-Evar=x\] \ > +\[-f cloginrc-file\] \[-p user-password\] \ > +\[-s script-file\] \[-t timeout\] \[-u username\] \ > +\[-v vty-password\] \[-x command-file\] \ > +\[-y ssh_cypher_type\] router \[router...\]\n" > + > +# env(CLOGIN) may contain: > +# x == do not set xterm banner or name > + > +# Password file > +set password_file $env(HOME)/.cloginrc > +# Default is to login to the firewall > +set do_command 0 > +set do_script 0 > +# The default is to look in the password file to find the passwords. This > +# tracks if we receive them on the command line. > +set do_passwd 1 > +set do_enapasswd 1 > +# Save config, if prompted > +set do_saveconfig 0 > + > +# Find the user in the ENV, or use the unix userid. > +if {[ info exists env(CISCO_USER) ]} { > + set default_user $env(CISCO_USER) > +} elseif {[ info exists env(USER) ]} { > + set default_user $env(USER) > +} elseif {[ info exists env(LOGNAME) ]} { > + set default_user $env(LOGNAME) > +} else { > + # This uses "id" which I think is portable. At least it has existed > + # (without options) on all machines/OSes I've been on recently - > + # unlike whoami or id -nu. > + if [ catch {exec id} reason ] { > + send_error "\nError: could not exec id: $reason\n" > + exit 1 > + } > + regexp {\(([^)]*)} "$reason" junk default_user > +} > +if {[ info exists env(CLOGINRC) ]} { > + set password_file $env(CLOGINRC) > +} > + > +# Sometimes firewall take awhile to answer (the default is 10 sec) > +set timeout 45 > + > +# Process the command line > +for {set i 0} {$i < $argc} {incr i} { > + set arg [lindex $argv $i] > + > + switch -glob -- $arg { > + # Expect debug mode > + -d* { > + exp_internal 1 > + # Username > + } -u* { > + if {! [ regexp .\[uU\](.+) $arg ignore user]} { > + incr i > + set username [ lindex $argv $i ] > + } > + # VTY Password > + } -p* { > + if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { > + incr i > + set userpasswd [ lindex $argv $i ] > + } > + set do_passwd 0 > + # Environment variable to pass to -s scripts > + } -E* { > + if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { > + set E$varname $varvalue > + } else { > + send_user "\nError: invalid format for -E in $arg\n" > + exit 1 > + } > + # Command to run. > + } -c* { > + if {! [ regexp .\[cC\](.+) $arg ignore command]} { > + incr i > + set command [ lindex $argv $i ] > + } > + set do_command 1 > + # Expect script to run. > + } -s* { > + if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { > + incr i > + set sfile [ lindex $argv $i ] > + } > + if { ! [ file readable $sfile ] } { > + send_user "\nError: Can't read $sfile\n" > + exit 1 > + } > + set do_script 1 > + # save config on exit > + } -S* { > + set do_saveconfig 1 > + # cypher type > + } -y* { > + if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { > + incr i > + set cypher [ lindex $argv $i ] > + } > + # alternate cloginrc file > + } -f* { > + if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { > + incr i > + set password_file [ lindex $argv $i ] > + } > + } -t* { > + incr i > + set timeout [ lindex $argv $i ] > + } -x* { > + if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { > + incr i > + set cmd_file [ lindex $argv $i ] > + } > + if [ catch {set cmd_fd [open $cmd_file r]} reason ] { > + send_user "\nError: $reason\n" > + exit 1 > + } > + set cmd_text [read $cmd_fd] > + close $cmd_fd > + set command [join [split $cmd_text \n] \;] > + set do_command 1 > + # Version string > + } -V* { > + send_user "@PACKAGE@ @VERSION@\n" > + exit 0 > + # Does tacacs automatically enable us? > + } -autoenable { > + # ignore autoenable > + } -* { > + send_user "\nError: Unknown argument! $arg\n" > + send_user $usage > + exit 1 > + } default { > + break > + } > + } > +} > +# Process firewalls...no firewalls listed is an error. > +if { $i == $argc } { > + send_user "\nError: $usage" > +} > + > +# Only be quiet if we are running a script (it can log its output > +# on its own) > +if { $do_script } { > + log_user 0 > +} else { > + log_user 1 > +} > + > +# > +# Done configuration/variable setting. Now run with it... > +# > + > +# Sets Xterm title if interactive...if its an xterm and the user cares > +proc label { host } { > + global env > + # if CLOGIN has an 'x' in it, don't set the xterm name/banner > + if [info exists env(CLOGIN)] { > + if {[string first "x" $env(CLOGIN)] != -1} { return } > + } > + # take host from ENV(TERM) > + if [info exists env(TERM)] { > + if [regexp \^(xterm|vs) $env(TERM) ignore ] { > + send_user "\033]1;[lindex [split $host "."] 0]\a" > + send_user "\033]2;$host\a" > + } > + } > +} > + > +# This is a helper function to make the password file easier to > +# maintain. Using this the password file has the form: > +# add password sl* pete cow > +# add password at* steve > +# add password * hanky-pie > +proc add {var args} { global int_$var ; lappend int_$var $args} > +proc include {args} { > + global env > + regsub -all "(^{|}$)" $args {} args > + if { [ regexp "^/" $args ignore ] == 0 } { > + set args $env(HOME)/$args > + } > + source_password_file $args > +} > + > +proc find {var router} { > + upvar int_$var list > + if { [info exists list] } { > + foreach line $list { > + if { [string match [lindex $line 0] $router ] } { > + return [lrange $line 1 end] > + } > + } > + } > + return {} > +} > + > +# Loads the password file. Note that as this file is tcl, and that > +# it is sourced, the user better know what to put in there, as it > +# could install more than just password info... I will assume however, > +# that a "bad guy" could just as easy put such code in the clogin > +# script, so I will leave .cloginrc as just an extention of that script > +proc source_password_file { password_file } { > + global env > + if { ! [file exists $password_file] } { > + send_user "\nError: password file ($password_file) does not exist\n" > + exit 1 > + } > + file stat $password_file fileinfo > + if { [expr ($fileinfo(mode) & 007)] != 0000 } { > + send_user "\nError: $password_file must not be world readable/writable\n" > + exit 1 > + } > + if [ catch {source $password_file} reason ] { > + send_user "\nError: $reason\n" > + exit 1 > + } > +} > + > +# Log into the firewall. > +# returns: 0 on success, 1 on failure > +proc login { router user userpswd passwd enapasswd prompt cmethod cyphertype } { > + global spawn_id in_proc do_command do_script sshcmd > + set in_proc 1 > + set uprompt_seen 0 > + > + # Telnet to the firewall & try to login. > + set progs [llength $cmethod] > + foreach prog [lrange $cmethod 0 end] { > + incr progs -1 > + if [string match "telnet*" $prog] { > + regexp {telnet(:([^[:space:]]+))*} $prog command suffix port > + if {"$port" == ""} { > + set retval [ catch {spawn telnet $router} reason ] > + } else { > + set retval [ catch {spawn telnet $router $port} reason ] > + } > + if { $retval } { > + send_user "\nError: telnet failed: $reason\n" > + return 1 > + } > + } elseif [string match "ssh*" $prog] { > + regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port > + if {"$port" == ""} { > + set cmd [join [lindex $sshcmd 0] " "] > + set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user $router" { }]} reason ] > + } else { > + set cmd [join [lindex $sshcmd 0] " "] > + set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user -p $port $router" { }]} reason ] > + } > + if { $retval } { > + send_user "\nError: $sshcmd failed: $reason\n" > + return 1 > + } > + } elseif ![string compare $prog "rsh"] { > + send_error "\nError: unsupported method: rsh\n" > + if { $progs == 0 } { > + return 1 > + } > + continue; > + } else { > + send_user "\nError: unknown connection method: $prog\n" > + return 1 > + } > + > + sleep 0.3 > + > + # This helps cleanup each expect clause. > + expect_after { > + timeout { > + send_user "\nError: TIMEOUT reached\n" > + catch {close}; catch {wait}; > + if { $in_proc} { > + return 1 > + } else { > + continue > + } > + } eof { > + send_user "\nError: EOF received\n" > + catch {close}; catch {wait}; > + if { $in_proc} { > + return 1 > + } else { > + continue > + } > + } > + } > + > + # Here we get a little tricky. There are several possibilities: > + # the firewall can ask for a username and passwd and then > + # talk to the TACACS server to authenticate you, or if the > + # TACACS server is not working, then it will use the enable > + # passwd. Or, the firewall might not have TACACS turned on, > + # then it will just send the passwd. > + # if telnet fails with connection refused, try ssh > + expect { > + -re "(Connection refused|Secure connection \[^\n\r]+ refused)" { > + catch {close}; catch {wait}; > + if !$progs { > + send_user "\nError: Connection Refused ($prog): $router\n" > + return 1 > + } > + } > + -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { > + catch {close}; catch {wait}; > + if !$progs { > + send_user "\nError: Connection closed ($prog): $router\n" > + return 1 > + } > + } > + eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 } > + -nocase "unknown host\r" { > + send_user "\nError: Unknown host $router\n"; > + catch {close}; catch {wait}; > + return 1 > + } > + "Host is unreachable" { > + send_user "\nError: Host Unreachable: $router\n"; > + catch {close}; catch {wait}; > + return 1 > + } > + "No address associated with name" { > + send_user "\nError: Unknown host $router\n"; > + catch {close}; catch {wait}; > + return 1 > + } > + -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" { > + send "yes\r" > + send_user "\nHost $router added to the list of known hosts.\n" > + exp_continue } > + -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { > + send "no\r" > + send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" > + catch {close}; catch {wait}; > + return 1 > + } > + -re "Offending key for .* \(yes\/no\)\?" { > + send "no\r" > + send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" > + catch {close}; catch {wait}; > + return 1 > + } > + -re "(denied|Sorry)" { > + send_user "\nError: Check your passwd for $router\n" > + catch {close}; catch {wait}; return 1 > + } > + "Login failed" { > + send_user "\nError: Check your passwd for $router\n"; > + catch {close}; catch {wait}; return 1 > + } > + -re "(login:)" { > + sleep 1; > + send -- "$user\r" > + set uprompt_seen 1 > + exp_continue > + } > + -re "@\[^\r\n]+\[Pp]assword:" { > + # ssh pwd prompt > + sleep 1 > + send -- "$userpswd\r" > + exp_continue > + } > + "\[Pp]assword:" { > + sleep 1; > + if {$uprompt_seen == 1} { > + send -- "$userpswd\r" > + } else { > + send -- "$passwd\r" > + } > + exp_continue > + } > + -- "$prompt" { break; } > + } > + } > + set in_proc 0 > + return 0 > +} > + > +# Run commands given on the command line. > +proc run_commands { prompt command } { > + global in_proc > + set in_proc 1 > + > + # Disable output paging. > + send -- "config system console\r" > + expect -re $prompt; send -- "set output standard\r" > + expect -re $prompt; send -- "end\r" > + expect -re $prompt; > + > + set commands [split $command \;] > + set num_commands [llength $commands] > + for {set i 0} {$i < $num_commands} { incr i} { > + send -- "[subst [lindex $commands $i]]\r" > +# send_user "**************** [subst [lindex $commands $i]] ************\n" > + expect { > + -re "$prompt" { send "\r" > + sleep 0.5 > + } > + -gl "--More--" { send " " > + exp_continue > + -re "\[\n\r]+" { exp_continue } > + } > + } > + } > +# send_user "******* fuori da ciclo for *******\n" > + expect { > + -re "$prompt$" { > + send "exit\r" > + sleep 0.5 > + exp_continue > + } > + -re "\[\n\r]+" { exp_continue } > + -gl "Configuration modified, save?" { > + send "n\r" > + exp_continue > + } > + timeout { catch {close}; catch {wait}; > + return 0 > + } > + eof { return 0 } > + } > + set in_proc 0 > +} > + > +# > +# For each firewall... (this is main loop) > +# > +source_password_file $password_file > +set in_proc 0 > +set exitval 0 > +foreach router [lrange $argv $i end] { > + set router [string tolower $router] > + send_user "$router\n" > + > + # FortiOS 2.x prompts can end in either '#' or '$' > + set prompt "\[#\\$] " > + > + # Figure out passwords > + if { $do_passwd || $do_enapasswd } { > + set pswd [find password $router] > + if { [llength $pswd] == 0 } { > + send_user "\nError: no password for $router in $password_file.\n" > + continue > + } > + set passwd [join [lindex $pswd 0] ""] > + set enapasswd [join [lindex $pswd 1] ""] > + } else { > + set passwd $userpasswd > + set enapasswd $enapasswd > + } > + > + # Figure out username > + if {[info exists username]} { > + # command line username > + set ruser $username > + } else { > + set ruser [join [find user $router] ""] > + if { "$ruser" == "" } { set ruser $default_user } > + } > + > + # Figure out username's password (if different from the vty password) > + if {[info exists userpasswd]} { > + # command line username > + set userpswd $userpasswd > + } else { > + set userpswd [join [find userpassword $router] ""] > + if { "$userpswd" == "" } { set userpswd $passwd } > + } > + > + > + # Figure out cypher type > + if {[info exists cypher]} { > + # command line cypher type > + set cyphertype $cypher > + } else { > + set cyphertype [find cyphertype $router] > + if { "$cyphertype" == "" } { set cyphertype "3des" } > + } > + > + # Figure out connection method > + set cmethod [find method $router] > + if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } > + > + # Figure out the SSH executable name > + set sshcmd [find sshcmd $router] > + if { "$sshcmd" == "" } { set sshcmd {ssh} } > + > + # Login to the router > + if {[login $router $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} { > + incr exitval > + continue > + } > + > + # we are logged in, now figure out the full prompt based on what the device sends us. > + send "\r" > + expect { > + -re "\[\r\n]+" { exp_continue; } > + -re "^(.+$prompt)" { set junk $expect_out(0,string); } > + if {[$junk = "(^\\$ $)"]} { > + set prompt $junk; > + } else { > + if {[$junk = "(^# $)"]} { set prompt $junk ; } > + }; > + } > + > + if { $do_command } { > + if {[run_commands $prompt $command]} { > + incr exitval > + continue > + } > + } elseif { $do_script } { > + # Disable output paging. > + send "config system console\r" > + send "set output standard\r" > + send "end\r" > + expect -re $prompt {} > + source $sfile > + catch {close}; > + } else { > + label $router > + log_user 1 > + interact > + } > + > + # End of for each firewall > + catch {wait}; > + sleep 0.3 > +} > +exit $exitval > + > --- rancid-2.3.4/bin/fnrancid.in 2010-10-02 08:31:34.000000000 +0200 > +++ rancid-patch/bin/fnrancid.in 2010-10-02 08:29:48.000000000 +0200 > @@ -48,6 +48,7 @@ > # usage: rancid [-dV] [-l] [-f filename | hostname] > # > use Getopt::Std; > +use Data::Dumper; > getopts('dflV'); > if ($opt_V) { > print "@PACKAGE@ @VERSION@\n"; > @@ -59,10 +60,11 @@ > $file = $opt_f; > $host = $ARGV[0]; > $found_end = 0; > -$timeo = 90; # nlogin timeout in seconds > +$timeo = 90; # fnlogin timeout in seconds > > my(@commandtable, %commands, @commands);# command lists > my($aclsort) = ("ipsort"); # ACL sorting mode > +$aclsort = ""; # disable sort > my($filter_commstr); # SNMP community string filtering > my($filter_pwds); # password filtering mode > > @@ -174,10 +176,35 @@ > tr/\015//d; > next if /^\s*$/; > last if (/$prompt/); > - > next if (/^System Time:/); > next if (/^FortiClient application signature package:/); > - ProcessHistory("","","","$_"); > + if(/^\s*(System time:) (.*)/) { > + ProcessHistory("System time","","","$1 ****removed****"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^\s*(Virus-DB:) (.*)/) { > + ProcessHistory("$1","","","$1 ****removed****\n"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^\s*(Extended DB:) (.*)/) { > + ProcessHistory("$1","","","$1 ****removed****\n"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^\s*(IPS-DB:) (.*)/) { > + ProcessHistory("$1","","","$1 ****removed****\n"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^get system status/) { > + # sometimes compare on the console so filter out > + next; > + } > + # - Comment system info in file with '!'. > + ProcessHistory("","","","!$_"); > + > } > ProcessHistory("SYSTEM","","","\n"); > return(0); > @@ -197,11 +224,22 @@ > while () { > tr/\015//d; > next if /^\s*$/; > + next if(/^\s*!System time:/); # System time is fortigate extraction time so remove it > + # remove occurrances of conf_file_ver > + if ( /^\s*(#conf_file_ver=)([0-9]+)(.*)/i && $filter_pwds >0 ) { > + #print STDERR "removed serial number -->!$1$2$3\n"; > + ProcessHistory("conf_file_ver","","","!$1**removed**$3\n"); > + next; > + } > last if (/$prompt/); > > next if (/^conf_file_ver=/); > - if (/(^set.*)('Enc .*')(.*)/) { > - ProcessHistory("ENC","","","!$1 'Enc **encoding removed**' $3\n"); > + # Remove all the variability from the configuration versions > + # if filter_pwds is enabled, filter out also variabilities between configurations > + # password encription is different between extraction so filtering out encoding > + if ( /^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds >0 ) { > + # print STDERR "removed password-->!$1 ENC **encoding removed** $3\n"; > + ProcessHistory("ENC","","","!$1 ENC **encoding removed**' $3\n"); > next; > } > ProcessHistory("","","","$_"); > @@ -216,7 +254,7 @@ > # Main > @commandtable = ( > {'get system status' => 'GetSystem'}, > - {'get conf' => 'GetConf'} > + {'show full-configuration' => 'GetConf'} > ); > # Use an array to preserve the order of the commands and a hash for mapping > # commands to the subroutine and track commands that have been completed. > @@ -245,13 +283,13 @@ > print STDOUT "opening file $host\n" if ($log); > open(INPUT,"<$host") || die "open failed for $host: $!\n"; > } else { > - print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); > - print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); > + print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); > + print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); > if (defined($ENV{NOPIPE})) { > - system "nlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n"; > + system "fnlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n"; > } else { > - open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host + open(INPUT,"fnlogin -t $timeo -c \"$cisco_cmds\" $host } > } > > @@ -279,14 +317,34 @@ > TOP: while() { > tr/\015//d; > if (/^Error:/) { > - print STDOUT ("$host nlogin error: $_"); > - print STDERR ("$host nlogin error: $_") if ($debug); > + print STDOUT ("$host fnlogin error: $_"); > + print STDERR ("$host fnlogin error: $_") if ($debug); > last; > } > - while (/>\s*($cmds_regexp)\s*$/) { > - $cmd = $1; > - if (!defined($prompt)) { $prompt = " >\s*"; } > - print STDERR ("HIT COMMAND:$_") if ($debug); > + while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) { > + $cmd = $2; > + # - FortiGate prompts end with either '#' or '$'. Further, they may > + # be prepended with a '~' if the hostname is too long. Therefore, > + # we need to figure out what our prompt really is. > + if (!defined($prompt)) { > + if ( $_ =~ m/^.+\~\$/ ) { > + $prompt = '\~\$ .*' ; > + } else { > + if ( $_ =~ m/^.+\$/ ) { > + $prompt = ' \$ .*' ; > + } else { > + if ( $_ =~ m/^.+\~#/ ) { > + $prompt = '\~# .*' ; > + } else { > + if ( $_ =~ m/^.+#/ ) { > + $prompt = ' # .*' ; > + } > + } > + } > + } > + } > + print STDERR ("HIT COMMAND:$_") if ($debug); > + > if (!defined($commands{$cmd})) { > print STDERR "$host: found unexpected command - \"$cmd\"\n"; > last TOP; > --- rancid-2.3.4/configure 2010-10-02 08:31:58.000000000 +0200 > +++ rancid-patch/configure 2010-10-02 08:29:49.000000000 +0200 > @@ -6042,7 +6042,7 @@ > > ac_config_files="$ac_config_files bin/flogin bin/francid" > > -ac_config_files="$ac_config_files bin/fnrancid" > +ac_config_files="$ac_config_files bin/fnlogin bin/fnrancid" > > ac_config_files="$ac_config_files bin/hlogin bin/hrancid" > From paleola at gmail.com Mon Oct 4 08:31:34 2010 From: paleola at gmail.com (Aleksey P) Date: Mon, 4 Oct 2010 12:31:34 +0400 Subject: [rancid] Why in Cisco rancid configs no "Last configuration change..." string? In-Reply-To: References: Message-ID: Thank you, all works fine! On Wed, Sep 22, 2010 at 1:55 PM, Andrew Fort wrote: > > Those lines are intentionally filtered in the 'rancid' script. I > believe there may have been a buggy IOS that produced spurious > differentials on that output, based at least on the comment in the > code. > > You can comment out the following in the 'rancid' script if you want > to see those lines: > > (somewhere around line 1570) > > # some versions have other crap mixed in with the bits in the > # block above > /^! (Last configuration|NVRAM config last)/ && next; > > cheers, > -a > -------------- next part -------------- An HTML attachment was scrubbed... URL: From howie at thingy.com Mon Oct 4 14:21:58 2010 From: howie at thingy.com (Howard Jones) Date: Mon, 04 Oct 2010 15:21:58 +0100 Subject: [rancid] Everything is a change? (svn not committing?) Message-ID: <4CA9E306.1010903@thingy.com> I've just made a new install of rancid 2.3.4 with a subversion backend. It's picking up configs just fine every hour, but it doesn't seem to commit changes to svn. If I look in the logs, there are no errors, but if I run 'svn status' from the var/$group directories, I get a list of files marked as either modified or added. I also get a huge e-mail once an hour with the same group of configs. 'svn update' in each group directory appears to fix it (until I set some more devices from down to up), but is there anything that can be done to make it work as expected? Thanks in advance for any suggestions, Howie From W.Fuertbauer at asamer.at Sat Oct 2 16:58:45 2010 From: W.Fuertbauer at asamer.at (=?iso-8859-1?Q?F=FCrtbauer_Wolfgang?=) Date: Sat, 2 Oct 2010 18:58:45 +0200 Subject: [rancid] fortinet problem References: <47CE942B4E710145A27E5339D5B34E0101059CB8@aohexchange01.asamer.holding.ah> <20100930191501.GO10490@shrubbery.net> <47CE942B4E710145A27E5339D5B34E0101059CDA@aohexchange01.asamer.holding.ah> <20101001155645.GB24164@shrubbery.net> <47CE942B4E710145A27E5339D5B34E01BC0A6B@aohexchange01.asamer.holding.ah> <20101002143810.GA16269@shrubbery.net> Message-ID: <47CE942B4E710145A27E5339D5B34E01BC0A6D@aohexchange01.asamer.holding.ah> I think this prompt was for fortios version < 2 most devices are probably running on ver 3 know and this is covered by Diegos patch will the patch be added to the main code? BR Wolfgang F?rtbauer Leitung IT ASAMER Holding AG Unterthalham Strasse 2 4694 Ohlsdorf AUSTRIA tel +43 50 799 - 2500 fax +43 7612 799 - 9526 mobile +43 664 8332326 w.fuertbauer at asamer.at www.asamer.at This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message by mistake, please advise the sender. -----Urspr?ngliche Nachricht----- Von: john heasley [mailto:heas at shrubbery.net] Gesendet: Sa 02.10.2010 16:38 An: F?rtbauer Wolfgang Cc: john heasley; rancid-discuss at shrubbery.net; diego.ercolani at ssis.sm Betreff: Re: [rancid] fortinet problem Sat, Oct 02, 2010 at 08:39:40AM +0200, F?rtbauer Wolfgang: > Dear John, > > I finally found the patch: > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html > and applied it (manually) against my rancid-2.3.4. > It's working! Thanks a lot Diego! > > Probalby this patch could be added to the main code?! > > to answer your question John: the prompt ends with a '#' for readonly-users > and a '$' for read-write users Thanks. When did this change from '->'? is there a need to support the old prompt? > BR > Wolfgang > > > > Wolfgang F?rtbauer > Leitung IT > > ASAMER Holding AG > Unterthalham Strasse 2 > 4694 Ohlsdorf > AUSTRIA > tel +43 50 799 - 2500 > fax +43 7612 799 - 9526 > mobile +43 664 8332326 > w.fuertbauer at asamer.at > www.asamer.at > > > This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this > message by mistake, please advise the sender. > > > > -----Urspr?ngliche Nachricht----- > Von: john heasley [mailto:heas at shrubbery.net] > Gesendet: Fr 01.10.2010 17:56 > An: F?rtbauer Wolfgang > Cc: john heasley; rancid-discuss at shrubbery.net > Betreff: Re: [rancid] fortinet problem > > Fri, Oct 01, 2010 at 09:34:15AM +0200, F?rtbauer Wolfgang: > > Dear John, > > > > Output of nlogin is: > > > > rancid at aohmonitoring01:~> nlogin > > > > spawn ssh -c 3des -x -l monitoring > > monitoring@'s password: > > FGT50A3906508751 # > > FGT50A3906508751 # Timeout > > wie geht es. nlogin looks for the prompt to end with "-> "; why is it "#" > here? ISTR someone saying that the format had changed and trying to > understand when and under what circumstances, but not being able to verify. > Content-Description: rancid-2.3.4_fortigate_2x-3x.patch > --- rancid-2.3.4/bin/Makefile.in 2010-10-02 08:31:22.000000000 +0200 > +++ rancid-patch/bin/Makefile.in 2010-10-02 08:29:48.000000000 +0200 > @@ -54,7 +54,7 @@ > $(srcdir)/hlogin.in $(srcdir)/hrancid.in $(srcdir)/htlogin.in \ > $(srcdir)/htrancid.in $(srcdir)/jerancid.in \ > $(srcdir)/jlogin.in $(srcdir)/jrancid.in $(srcdir)/mrancid.in \ > - $(srcdir)/mrvlogin.in $(srcdir)/mrvrancid.in \ > + $(srcdir)/mrvlogin.in $(srcdir)/mrvrancid.in $(srcdir)/fnlogin.in \ > $(srcdir)/nlogin.in $(srcdir)/nrancid.in $(srcdir)/nslogin.in \ > $(srcdir)/nsrancid.in $(srcdir)/nxrancid.in $(srcdir)/par.in \ > $(srcdir)/prancid.in $(srcdir)/rancid-fe.in \ > @@ -75,7 +75,7 @@ > arancid arrancid avologin avorancid blogin brancid cat5rancid \ > clogin rancid cssrancid elogin erancid f5rancid f10rancid \ > flogin francid fnrancid hlogin hrancid htlogin htrancid jlogin \ > - jrancid jerancid mrancid mrvlogin mrvrancid nlogin nrancid \ > + jrancid jerancid mrancid mrvlogin mrvrancid fnlogin nlogin nrancid \ > nslogin nsrancid nxrancid prancid rivlogin rivrancid rrancid \ > srancid tlogin tntlogin tntrancid trancid xrancid xrrancid \ > zrancid > @@ -247,7 +247,7 @@ > blogin brancid cat5rancid clogin control_rancid cssrancid \ > elogin erancid f5rancid f10rancid flogin fnrancid francid \ > hlogin hrancid htlogin htrancid jerancid jlogin jrancid \ > - mrancid mrvlogin mrvrancid nlogin nrancid nslogin nsrancid \ > + mrancid mrvlogin mrvrancid fnlogin nlogin nrancid nslogin nsrancid \ > nxrancid par prancid rancid-fe rancid rivlogin rivrancid \ > rrancid srancid tlogin tntlogin tntrancid trancid xrancid \ > xrrancid zrancid lg.cgi lgform.cgi rancid-cvs rancid-run > @@ -383,6 +383,8 @@ > cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > mrvrancid: $(top_builddir)/config.status $(srcdir)/mrvrancid.in > cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > +fnlogin: $(top_builddir)/config.status $(srcdir)/fnlogin.in > + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > nlogin: $(top_builddir)/config.status $(srcdir)/nlogin.in > cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ > nrancid: $(top_builddir)/config.status $(srcdir)/nrancid.in > --- rancid-2.3.4/bin/fnlogin.in 1970-01-01 01:00:00.000000000 +0100 > +++ rancid-patch/bin/fnlogin.in 2010-10-02 08:29:48.000000000 +0200 > @@ -0,0 +1,591 @@ > +#! @EXPECT_PATH@ -- > +## > +## $Id: fnlogin.in,v 1.51 2009/04/16 21:22:58 heas Exp $ > +## patched to accomplish fortinet from nlogin > +## by: Daniel G. Epstein > +## adapted by: Diego Ercolani > +## > +## @PACKAGE@ @VERSION@ > +## Copyright (c) 1997-2009 by Terrapin Communications, Inc. > +## All rights reserved. > +## > +## This code is derived from software contributed to and maintained by > +## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan, > +## Pete Whiting, Austin Schutz, and Andrew Fort. > +## > +## Redistribution and use in source and binary forms, with or without > +## modification, are permitted provided that the following conditions > +## are met: > +## 1. Redistributions of source code must retain the above copyright > +## notice, this list of conditions and the following disclaimer. > +## 2. Redistributions in binary form must reproduce the above copyright > +## notice, this list of conditions and the following disclaimer in the > +## documentation and/or other materials provided with the distribution. > +## 3. All advertising materials mentioning features or use of this software > +## must display the following acknowledgement: > +## This product includes software developed by Terrapin Communications, > +## Inc. and its contributors for RANCID. > +## 4. Neither the name of Terrapin Communications, Inc. nor the names of its > +## contributors may be used to endorse or promote products derived from > +## this software without specific prior written permission. > +## 5. It is requested that non-binding fixes and modifications be contributed > +## back to Terrapin Communications, Inc. > +## > +## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS > +## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED > +## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > +## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS > +## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > +## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > +## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > +## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > +## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > +## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE > +## POSSIBILITY OF SUCH DAMAGE. > +# > +# The expect login scripts were based on Erik Sherk's gwtn, by permission. > +# > +# Netscreen hacks implemented by Stephen Gill . > +# Fortinet hacks by Daniel G. Epstein > +# > +# fnlogin - fortinet login > +# > +# Most options are intuitive for logging into a netscreen firewall. > +# > +# Misc notes > +# netscreen does not have the concept of "enable", once logged in, a > +# users permissions can not change. > + > +# Usage line > +set usage "Usage: $argv0 \[-dSV\] \[-c command\] \[-Evar=x\] \ > +\[-f cloginrc-file\] \[-p user-password\] \ > +\[-s script-file\] \[-t timeout\] \[-u username\] \ > +\[-v vty-password\] \[-x command-file\] \ > +\[-y ssh_cypher_type\] router \[router...\]\n" > + > +# env(CLOGIN) may contain: > +# x == do not set xterm banner or name > + > +# Password file > +set password_file $env(HOME)/.cloginrc > +# Default is to login to the firewall > +set do_command 0 > +set do_script 0 > +# The default is to look in the password file to find the passwords. This > +# tracks if we receive them on the command line. > +set do_passwd 1 > +set do_enapasswd 1 > +# Save config, if prompted > +set do_saveconfig 0 > + > +# Find the user in the ENV, or use the unix userid. > +if {[ info exists env(CISCO_USER) ]} { > + set default_user $env(CISCO_USER) > +} elseif {[ info exists env(USER) ]} { > + set default_user $env(USER) > +} elseif {[ info exists env(LOGNAME) ]} { > + set default_user $env(LOGNAME) > +} else { > + # This uses "id" which I think is portable. At least it has existed > + # (without options) on all machines/OSes I've been on recently - > + # unlike whoami or id -nu. > + if [ catch {exec id} reason ] { > + send_error "\nError: could not exec id: $reason\n" > + exit 1 > + } > + regexp {\(([^)]*)} "$reason" junk default_user > +} > +if {[ info exists env(CLOGINRC) ]} { > + set password_file $env(CLOGINRC) > +} > + > +# Sometimes firewall take awhile to answer (the default is 10 sec) > +set timeout 45 > + > +# Process the command line > +for {set i 0} {$i < $argc} {incr i} { > + set arg [lindex $argv $i] > + > + switch -glob -- $arg { > + # Expect debug mode > + -d* { > + exp_internal 1 > + # Username > + } -u* { > + if {! [ regexp .\[uU\](.+) $arg ignore user]} { > + incr i > + set username [ lindex $argv $i ] > + } > + # VTY Password > + } -p* { > + if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { > + incr i > + set userpasswd [ lindex $argv $i ] > + } > + set do_passwd 0 > + # Environment variable to pass to -s scripts > + } -E* { > + if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { > + set E$varname $varvalue > + } else { > + send_user "\nError: invalid format for -E in $arg\n" > + exit 1 > + } > + # Command to run. > + } -c* { > + if {! [ regexp .\[cC\](.+) $arg ignore command]} { > + incr i > + set command [ lindex $argv $i ] > + } > + set do_command 1 > + # Expect script to run. > + } -s* { > + if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { > + incr i > + set sfile [ lindex $argv $i ] > + } > + if { ! [ file readable $sfile ] } { > + send_user "\nError: Can't read $sfile\n" > + exit 1 > + } > + set do_script 1 > + # save config on exit > + } -S* { > + set do_saveconfig 1 > + # cypher type > + } -y* { > + if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { > + incr i > + set cypher [ lindex $argv $i ] > + } > + # alternate cloginrc file > + } -f* { > + if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { > + incr i > + set password_file [ lindex $argv $i ] > + } > + } -t* { > + incr i > + set timeout [ lindex $argv $i ] > + } -x* { > + if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { > + incr i > + set cmd_file [ lindex $argv $i ] > + } > + if [ catch {set cmd_fd [open $cmd_file r]} reason ] { > + send_user "\nError: $reason\n" > + exit 1 > + } > + set cmd_text [read $cmd_fd] > + close $cmd_fd > + set command [join [split $cmd_text \n] \;] > + set do_command 1 > + # Version string > + } -V* { > + send_user "@PACKAGE@ @VERSION@\n" > + exit 0 > + # Does tacacs automatically enable us? > + } -autoenable { > + # ignore autoenable > + } -* { > + send_user "\nError: Unknown argument! $arg\n" > + send_user $usage > + exit 1 > + } default { > + break > + } > + } > +} > +# Process firewalls...no firewalls listed is an error. > +if { $i == $argc } { > + send_user "\nError: $usage" > +} > + > +# Only be quiet if we are running a script (it can log its output > +# on its own) > +if { $do_script } { > + log_user 0 > +} else { > + log_user 1 > +} > + > +# > +# Done configuration/variable setting. Now run with it... > +# > + > +# Sets Xterm title if interactive...if its an xterm and the user cares > +proc label { host } { > + global env > + # if CLOGIN has an 'x' in it, don't set the xterm name/banner > + if [info exists env(CLOGIN)] { > + if {[string first "x" $env(CLOGIN)] != -1} { return } > + } > + # take host from ENV(TERM) > + if [info exists env(TERM)] { > + if [regexp \^(xterm|vs) $env(TERM) ignore ] { > + send_user "\033]1;[lindex [split $host "."] 0]\a" > + send_user "\033]2;$host\a" > + } > + } > +} > + > +# This is a helper function to make the password file easier to > +# maintain. Using this the password file has the form: > +# add password sl* pete cow > +# add password at* steve > +# add password * hanky-pie > +proc add {var args} { global int_$var ; lappend int_$var $args} > +proc include {args} { > + global env > + regsub -all "(^{|}$)" $args {} args > + if { [ regexp "^/" $args ignore ] == 0 } { > + set args $env(HOME)/$args > + } > + source_password_file $args > +} > + > +proc find {var router} { > + upvar int_$var list > + if { [info exists list] } { > + foreach line $list { > + if { [string match [lindex $line 0] $router ] } { > + return [lrange $line 1 end] > + } > + } > + } > + return {} > +} > + > +# Loads the password file. Note that as this file is tcl, and that > +# it is sourced, the user better know what to put in there, as it > +# could install more than just password info... I will assume however, > +# that a "bad guy" could just as easy put such code in the clogin > +# script, so I will leave .cloginrc as just an extention of that script > +proc source_password_file { password_file } { > + global env > + if { ! [file exists $password_file] } { > + send_user "\nError: password file ($password_file) does not exist\n" > + exit 1 > + } > + file stat $password_file fileinfo > + if { [expr ($fileinfo(mode) & 007)] != 0000 } { > + send_user "\nError: $password_file must not be world readable/writable\n" > + exit 1 > + } > + if [ catch {source $password_file} reason ] { > + send_user "\nError: $reason\n" > + exit 1 > + } > +} > + > +# Log into the firewall. > +# returns: 0 on success, 1 on failure > +proc login { router user userpswd passwd enapasswd prompt cmethod cyphertype } { > + global spawn_id in_proc do_command do_script sshcmd > + set in_proc 1 > + set uprompt_seen 0 > + > + # Telnet to the firewall & try to login. > + set progs [llength $cmethod] > + foreach prog [lrange $cmethod 0 end] { > + incr progs -1 > + if [string match "telnet*" $prog] { > + regexp {telnet(:([^[:space:]]+))*} $prog command suffix port > + if {"$port" == ""} { > + set retval [ catch {spawn telnet $router} reason ] > + } else { > + set retval [ catch {spawn telnet $router $port} reason ] > + } > + if { $retval } { > + send_user "\nError: telnet failed: $reason\n" > + return 1 > + } > + } elseif [string match "ssh*" $prog] { > + regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port > + if {"$port" == ""} { > + set cmd [join [lindex $sshcmd 0] " "] > + set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user $router" { }]} reason ] > + } else { > + set cmd [join [lindex $sshcmd 0] " "] > + set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user -p $port $router" { }]} reason ] > + } > + if { $retval } { > + send_user "\nError: $sshcmd failed: $reason\n" > + return 1 > + } > + } elseif ![string compare $prog "rsh"] { > + send_error "\nError: unsupported method: rsh\n" > + if { $progs == 0 } { > + return 1 > + } > + continue; > + } else { > + send_user "\nError: unknown connection method: $prog\n" > + return 1 > + } > + > + sleep 0.3 > + > + # This helps cleanup each expect clause. > + expect_after { > + timeout { > + send_user "\nError: TIMEOUT reached\n" > + catch {close}; catch {wait}; > + if { $in_proc} { > + return 1 > + } else { > + continue > + } > + } eof { > + send_user "\nError: EOF received\n" > + catch {close}; catch {wait}; > + if { $in_proc} { > + return 1 > + } else { > + continue > + } > + } > + } > + > + # Here we get a little tricky. There are several possibilities: > + # the firewall can ask for a username and passwd and then > + # talk to the TACACS server to authenticate you, or if the > + # TACACS server is not working, then it will use the enable > + # passwd. Or, the firewall might not have TACACS turned on, > + # then it will just send the passwd. > + # if telnet fails with connection refused, try ssh > + expect { > + -re "(Connection refused|Secure connection \[^\n\r]+ refused)" { > + catch {close}; catch {wait}; > + if !$progs { > + send_user "\nError: Connection Refused ($prog): $router\n" > + return 1 > + } > + } > + -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { > + catch {close}; catch {wait}; > + if !$progs { > + send_user "\nError: Connection closed ($prog): $router\n" > + return 1 > + } > + } > + eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 } > + -nocase "unknown host\r" { > + send_user "\nError: Unknown host $router\n"; > + catch {close}; catch {wait}; > + return 1 > + } > + "Host is unreachable" { > + send_user "\nError: Host Unreachable: $router\n"; > + catch {close}; catch {wait}; > + return 1 > + } > + "No address associated with name" { > + send_user "\nError: Unknown host $router\n"; > + catch {close}; catch {wait}; > + return 1 > + } > + -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" { > + send "yes\r" > + send_user "\nHost $router added to the list of known hosts.\n" > + exp_continue } > + -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { > + send "no\r" > + send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" > + catch {close}; catch {wait}; > + return 1 > + } > + -re "Offending key for .* \(yes\/no\)\?" { > + send "no\r" > + send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" > + catch {close}; catch {wait}; > + return 1 > + } > + -re "(denied|Sorry)" { > + send_user "\nError: Check your passwd for $router\n" > + catch {close}; catch {wait}; return 1 > + } > + "Login failed" { > + send_user "\nError: Check your passwd for $router\n"; > + catch {close}; catch {wait}; return 1 > + } > + -re "(login:)" { > + sleep 1; > + send -- "$user\r" > + set uprompt_seen 1 > + exp_continue > + } > + -re "@\[^\r\n]+\[Pp]assword:" { > + # ssh pwd prompt > + sleep 1 > + send -- "$userpswd\r" > + exp_continue > + } > + "\[Pp]assword:" { > + sleep 1; > + if {$uprompt_seen == 1} { > + send -- "$userpswd\r" > + } else { > + send -- "$passwd\r" > + } > + exp_continue > + } > + -- "$prompt" { break; } > + } > + } > + set in_proc 0 > + return 0 > +} > + > +# Run commands given on the command line. > +proc run_commands { prompt command } { > + global in_proc > + set in_proc 1 > + > + # Disable output paging. > + send -- "config system console\r" > + expect -re $prompt; send -- "set output standard\r" > + expect -re $prompt; send -- "end\r" > + expect -re $prompt; > + > + set commands [split $command \;] > + set num_commands [llength $commands] > + for {set i 0} {$i < $num_commands} { incr i} { > + send -- "[subst [lindex $commands $i]]\r" > +# send_user "**************** [subst [lindex $commands $i]] ************\n" > + expect { > + -re "$prompt" { send "\r" > + sleep 0.5 > + } > + -gl "--More--" { send " " > + exp_continue > + -re "\[\n\r]+" { exp_continue } > + } > + } > + } > +# send_user "******* fuori da ciclo for *******\n" > + expect { > + -re "$prompt$" { > + send "exit\r" > + sleep 0.5 > + exp_continue > + } > + -re "\[\n\r]+" { exp_continue } > + -gl "Configuration modified, save?" { > + send "n\r" > + exp_continue > + } > + timeout { catch {close}; catch {wait}; > + return 0 > + } > + eof { return 0 } > + } > + set in_proc 0 > +} > + > +# > +# For each firewall... (this is main loop) > +# > +source_password_file $password_file > +set in_proc 0 > +set exitval 0 > +foreach router [lrange $argv $i end] { > + set router [string tolower $router] > + send_user "$router\n" > + > + # FortiOS 2.x prompts can end in either '#' or '$' > + set prompt "\[#\\$] " > + > + # Figure out passwords > + if { $do_passwd || $do_enapasswd } { > + set pswd [find password $router] > + if { [llength $pswd] == 0 } { > + send_user "\nError: no password for $router in $password_file.\n" > + continue > + } > + set passwd [join [lindex $pswd 0] ""] > + set enapasswd [join [lindex $pswd 1] ""] > + } else { > + set passwd $userpasswd > + set enapasswd $enapasswd > + } > + > + # Figure out username > + if {[info exists username]} { > + # command line username > + set ruser $username > + } else { > + set ruser [join [find user $router] ""] > + if { "$ruser" == "" } { set ruser $default_user } > + } > + > + # Figure out username's password (if different from the vty password) > + if {[info exists userpasswd]} { > + # command line username > + set userpswd $userpasswd > + } else { > + set userpswd [join [find userpassword $router] ""] > + if { "$userpswd" == "" } { set userpswd $passwd } > + } > + > + > + # Figure out cypher type > + if {[info exists cypher]} { > + # command line cypher type > + set cyphertype $cypher > + } else { > + set cyphertype [find cyphertype $router] > + if { "$cyphertype" == "" } { set cyphertype "3des" } > + } > + > + # Figure out connection method > + set cmethod [find method $router] > + if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } > + > + # Figure out the SSH executable name > + set sshcmd [find sshcmd $router] > + if { "$sshcmd" == "" } { set sshcmd {ssh} } > + > + # Login to the router > + if {[login $router $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} { > + incr exitval > + continue > + } > + > + # we are logged in, now figure out the full prompt based on what the device sends us. > + send "\r" > + expect { > + -re "\[\r\n]+" { exp_continue; } > + -re "^(.+$prompt)" { set junk $expect_out(0,string); } > + if {[$junk = "(^\\$ $)"]} { > + set prompt $junk; > + } else { > + if {[$junk = "(^# $)"]} { set prompt $junk ; } > + }; > + } > + > + if { $do_command } { > + if {[run_commands $prompt $command]} { > + incr exitval > + continue > + } > + } elseif { $do_script } { > + # Disable output paging. > + send "config system console\r" > + send "set output standard\r" > + send "end\r" > + expect -re $prompt {} > + source $sfile > + catch {close}; > + } else { > + label $router > + log_user 1 > + interact > + } > + > + # End of for each firewall > + catch {wait}; > + sleep 0.3 > +} > +exit $exitval > + > --- rancid-2.3.4/bin/fnrancid.in 2010-10-02 08:31:34.000000000 +0200 > +++ rancid-patch/bin/fnrancid.in 2010-10-02 08:29:48.000000000 +0200 > @@ -48,6 +48,7 @@ > # usage: rancid [-dV] [-l] [-f filename | hostname] > # > use Getopt::Std; > +use Data::Dumper; > getopts('dflV'); > if ($opt_V) { > print "@PACKAGE@ @VERSION@\n"; > @@ -59,10 +60,11 @@ > $file = $opt_f; > $host = $ARGV[0]; > $found_end = 0; > -$timeo = 90; # nlogin timeout in seconds > +$timeo = 90; # fnlogin timeout in seconds > > my(@commandtable, %commands, @commands);# command lists > my($aclsort) = ("ipsort"); # ACL sorting mode > +$aclsort = ""; # disable sort > my($filter_commstr); # SNMP community string filtering > my($filter_pwds); # password filtering mode > > @@ -174,10 +176,35 @@ > tr/\015//d; > next if /^\s*$/; > last if (/$prompt/); > - > next if (/^System Time:/); > next if (/^FortiClient application signature package:/); > - ProcessHistory("","","","$_"); > + if(/^\s*(System time:) (.*)/) { > + ProcessHistory("System time","","","$1 ****removed****"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^\s*(Virus-DB:) (.*)/) { > + ProcessHistory("$1","","","$1 ****removed****\n"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^\s*(Extended DB:) (.*)/) { > + ProcessHistory("$1","","","$1 ****removed****\n"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^\s*(IPS-DB:) (.*)/) { > + ProcessHistory("$1","","","$1 ****removed****\n"); > + #print STDERR "!$1 ****removed****\n"; > + next; > + } > + if(/^get system status/) { > + # sometimes compare on the console so filter out > + next; > + } > + # - Comment system info in file with '!'. > + ProcessHistory("","","","!$_"); > + > } > ProcessHistory("SYSTEM","","","\n"); > return(0); > @@ -197,11 +224,22 @@ > while () { > tr/\015//d; > next if /^\s*$/; > + next if(/^\s*!System time:/); # System time is fortigate extraction time so remove it > + # remove occurrances of conf_file_ver > + if ( /^\s*(#conf_file_ver=)([0-9]+)(.*)/i && $filter_pwds >0 ) { > + #print STDERR "removed serial number -->!$1$2$3\n"; > + ProcessHistory("conf_file_ver","","","!$1**removed**$3\n"); > + next; > + } > last if (/$prompt/); > > next if (/^conf_file_ver=/); > - if (/(^set.*)('Enc .*')(.*)/) { > - ProcessHistory("ENC","","","!$1 'Enc **encoding removed**' $3\n"); > + # Remove all the variability from the configuration versions > + # if filter_pwds is enabled, filter out also variabilities between configurations > + # password encription is different between extraction so filtering out encoding > + if ( /^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds >0 ) { > + # print STDERR "removed password-->!$1 ENC **encoding removed** $3\n"; > + ProcessHistory("ENC","","","!$1 ENC **encoding removed**' $3\n"); > next; > } > ProcessHistory("","","","$_"); > @@ -216,7 +254,7 @@ > # Main > @commandtable = ( > {'get system status' => 'GetSystem'}, > - {'get conf' => 'GetConf'} > + {'show full-configuration' => 'GetConf'} > ); > # Use an array to preserve the order of the commands and a hash for mapping > # commands to the subroutine and track commands that have been completed. > @@ -245,13 +283,13 @@ > print STDOUT "opening file $host\n" if ($log); > open(INPUT,"<$host") || die "open failed for $host: $!\n"; > } else { > - print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); > - print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); > + print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); > + print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); > if (defined($ENV{NOPIPE})) { > - system "nlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n"; > + system "fnlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n"; > } else { > - open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host + open(INPUT,"fnlogin -t $timeo -c \"$cisco_cmds\" $host } > } > > @@ -279,14 +317,34 @@ > TOP: while() { > tr/\015//d; > if (/^Error:/) { > - print STDOUT ("$host nlogin error: $_"); > - print STDERR ("$host nlogin error: $_") if ($debug); > + print STDOUT ("$host fnlogin error: $_"); > + print STDERR ("$host fnlogin error: $_") if ($debug); > last; > } > - while (/>\s*($cmds_regexp)\s*$/) { > - $cmd = $1; > - if (!defined($prompt)) { $prompt = " >\s*"; } > - print STDERR ("HIT COMMAND:$_") if ($debug); > + while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) { > + $cmd = $2; > + # - FortiGate prompts end with either '#' or '$'. Further, they may > + # be prepended with a '~' if the hostname is too long. Therefore, > + # we need to figure out what our prompt really is. > + if (!defined($prompt)) { > + if ( $_ =~ m/^.+\~\$/ ) { > + $prompt = '\~\$ .*' ; > + } else { > + if ( $_ =~ m/^.+\$/ ) { > + $prompt = ' \$ .*' ; > + } else { > + if ( $_ =~ m/^.+\~#/ ) { > + $prompt = '\~# .*' ; > + } else { > + if ( $_ =~ m/^.+#/ ) { > + $prompt = ' # .*' ; > + } > + } > + } > + } > + } > + print STDERR ("HIT COMMAND:$_") if ($debug); > + > if (!defined($commands{$cmd})) { > print STDERR "$host: found unexpected command - \"$cmd\"\n"; > last TOP; > --- rancid-2.3.4/configure 2010-10-02 08:31:58.000000000 +0200 > +++ rancid-patch/configure 2010-10-02 08:29:49.000000000 +0200 > @@ -6042,7 +6042,7 @@ > > ac_config_files="$ac_config_files bin/flogin bin/francid" > > -ac_config_files="$ac_config_files bin/fnrancid" > +ac_config_files="$ac_config_files bin/fnlogin bin/fnrancid" > > ac_config_files="$ac_config_files bin/hlogin bin/hrancid" > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: asamer-logo.GIF Type: image/gif Size: 2032 bytes Desc: not available URL: From natxo.asenjo at gmail.com Tue Oct 5 13:30:07 2010 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 5 Oct 2010 15:30:07 +0200 Subject: [rancid] special char in enable pwd Message-ID: hi, I have a problem with an enable password in the .cloginrc file because it has a pound sign in it. I guess it interprets it as a comment. Is there a way to work around this? Or do I have to change the enable password? Thanks in advance, -- Groeten, natxo From natxo.asenjo at gmail.com Tue Oct 5 13:56:11 2010 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 5 Oct 2010 15:56:11 +0200 Subject: [rancid] special char in enable pwd In-Reply-To: References: Message-ID: On Tue, Oct 5, 2010 at 3:30 PM, Natxo Asenjo wrote: > hi, > > I have a problem with an enable password in the .cloginrc file because > it has a pound sign in it. I guess it interprets it as a comment. Is > there a way to work around this? Or do I have to change the enable > password? > I got it, google found the answer with this search arguments: site:http://www.shrubbery.net/pipermail/rancid-discuss/ password special character I used {} around it and now it works. Thanks! natxo From ms at man-da.de Wed Oct 6 08:16:53 2010 From: ms at man-da.de (Marcus Stoegbauer) Date: Wed, 06 Oct 2010 10:16:53 +0200 Subject: [rancid] IOS XE 3 knows "show flash" Message-ID: <4CAC3075.50606@man-da.de> Hi, IOS XE 3 learned the "show flash" command, which makes for redundant information since all the output is already included in the "dir" commands. Treating $type="ASR100." the same as 7000, 7200, 7500, or 12000 in ShowFlash fixes the annoyance, the patch is below. Marcus --- rancid-2.3.5/bin/rancid.in 2010-09-08 03:36:08.000000000 +0200 +++ rancid-2.3.5-my/bin/rancid.in 2010-10-06 10:08:18.000000000 +0200 @@ -698,7 +698,7 @@ tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); - return(1) if ($type =~ /^(12[40]|7)/); + return(1) if ($type =~ /^(12[40]|7|ASR100.)/); return(1) if (/^\s*\^\s*$/); return(1) if (/Line has invalid autocommand /); return(1) if (/(Invalid (input|command) detected|Type help or )/i); From ler762 at gmail.com Wed Oct 6 18:27:19 2010 From: ler762 at gmail.com (Lee) Date: Wed, 6 Oct 2010 14:27:19 -0400 Subject: [rancid] term width changes Message-ID: Maybe this falls into the "don't do that category", but I've been doing rancid-run interactively as well as from cron & getting ~3MB emails because the line width changes when run interactively vs. started from crontab. For example: - !VLAN: Gi1/0/45, Gi1/0/46, Gi1/0/47 - !VLAN: Gi1/0/48, Gi1/0/49, Gi1/0/50 - !VLAN: Gi1/0/51 + !VLAN: 1 default active Gi1/0/1, Gi1/0/2, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/14, Gi1/0/15, Gi1/0/16 + !VLAN: Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24 + !VLAN: Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31, Gi1/0/32 This fixes the problem for me: diff -U 6 rancid-2.3.5/bin/clogin ~rancid/bin/clogin --- rancid-2.3.5/bin/clogin 2010-09-23 10:58:12.000000000 -0400 +++ ~/rancid/bin/clogin 2010-10-06 12:18:53.000000000 -0400 @@ -600,16 +604,22 @@ send "set length 0\r" # This is ugly, but reduces code duplication, allowing the # subsequent expects to handle everything as normal. set command "set logging session disable;$command" } else { send "terminal length 0\r" + expect { + -re $prompt {} + -re "\[\n\r]+" { exp_continue } + } + send "terminal width 132\r" ;# --LR-- } # match cisco config mode prompts too, such as router(config-if)#, # but catalyst does not change in this fashion. expect { -re $reprompt {} -re "\[\n\r]+" { exp_continue } Lee From ler762 at gmail.com Wed Oct 6 18:32:06 2010 From: ler762 at gmail.com (Lee) Date: Wed, 6 Oct 2010 14:32:06 -0400 Subject: [rancid] term width typo? Message-ID: kind of looks like a typo - "set width" instead of :"term width" for a not CatOS box: diff -U 6 rancid-2.3.5/bin/clogin ~/rancid/bin/clogin --- rancid-2.3.5/bin/clogin 2010-09-23 10:58:12.000000000 -0400 +++ ~/rancid/bin/clogin 2010-10-06 12:18:53.000000000 -0400 @@ -886,22 +896,23 @@ send "set width 80\r" expect -re $prompt {} send "set logging session disable\r" } else { send "terminal length 0\r" expect -re $prompt {} - send "set width 80\r" + # --LR-- send "set width 80\r" + send "terminal width 132\r" } expect -re $prompt {} source $sfile catch {close}; } else { Lee From ler762 at gmail.com Wed Oct 6 18:39:06 2010 From: ler762 at gmail.com (Lee) Date: Wed, 6 Oct 2010 14:39:06 -0400 Subject: [rancid] ignoring DHCP database files in flash Message-ID: The DHCP database files weren't being ignored on c2800 routers: @@ -25,13 +25,13 @@ !Flash: 8 194060 Jan 24 2009 02:19:30 atro_main2.au !Flash: 10 322058 Jan 30 2010 00:58:38 atro_aa.au !Flash: 11 462058 Apr 02 2010 15:16:38 atro_aa_4_2.au !Flash: 12 384058 May 07 2010 23:00:40 atro_aa_5_7.au !Flash: 13 59478200 Jun 03 2010 23:44:28 c2800nm-adventerprisek9-mz.124-24.T3.bin !Flash: 14 384058 May 17 2010 23:37:08 ATRO_AA_5_17.au - !Flash: 15 4235 Oct 06 2010 09:37:44 dhcp_database.txt + !Flash: 15 4235 Oct 06 2010 16:18:50 dhcp_database.txt sub ShowFlash also needs to ignore DHCP database files: diff -U 6 rancid-2.3.5/bin/rancid ~/rancid/bin/rancid --- rancid-2.3.5/bin/rancid 2010-09-23 10:58:12.000000000 -0400 +++ ~/rancid/bin/rancid 2010-10-06 13:22:37.000000000 -0400 @@ -695,12 +695,13 @@ print STDERR " In ShowFlash: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); + next if (/dhcp[-_]database/); ;# --LR-- return(1) if ($type =~ /^(12[40]|7)/); return(1) if (/^\s*\^\s*$/); return(1) if (/Line has invalid autocommand /); return(1) if (/(Invalid (input|command) detected|Type help or )/i); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX Lee From mtinka at globaltransit.net Wed Oct 6 07:54:32 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 6 Oct 2010 15:54:32 +0800 Subject: [rancid] Noisy Cisco ASR1002 Message-ID: <201010061554.33180.mtinka@globaltransit.net> Hello all. Following an upgrade to Cisco IOS XE 3.1S for the Cisco ASR1002 router, there is a new level of logging activity that is being written to the router's 'bootflash' file system at least every few minutes. Our RANCID runs every half-hour, so e-mails have become noisy and run the risk of desensitizing our NOC. Any suggestions on how this can be filtered without affecting the 'dir bootflash' command used for the other routers? All help appreciated. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Oct 6 20:20:32 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 7 Oct 2010 04:20:32 +0800 Subject: [rancid] Noisy Cisco ASR1002 In-Reply-To: <201010061554.33180.mtinka@globaltransit.net> References: <201010061554.33180.mtinka@globaltransit.net> Message-ID: <201010070420.33087.mtinka@globaltransit.net> So I sent this yesterday but it couldn't leave because my IP address wasn't liked by the mailing list mail server. That said, no sooner had I crafted and tried to send this than Marcus' e-mail showed up detailing the exact same problem. He had a back-and-forth and got it sorted out. IOS XE 3.1S has become quite chatty. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From heas at shrubbery.net Wed Oct 6 22:30:19 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Oct 2010 15:30:19 -0700 Subject: [rancid] IOS XE 3 knows "show flash" In-Reply-To: <4CAC3075.50606@man-da.de> References: <4CAC3075.50606@man-da.de> Message-ID: <20101006223019.GP310@shrubbery.net> Wed, Oct 06, 2010 at 10:16:53AM +0200, Marcus Stoegbauer: > Hi, > > IOS XE 3 learned the "show flash" command, which makes for redundant > information since all the output is already included in the "dir" > commands. Treating $type="ASR100." the same as 7000, 7200, 7500, or > 12000 in ShowFlash fixes the annoyance, the patch is below. > > Marcus > > --- rancid-2.3.5/bin/rancid.in 2010-09-08 03:36:08.000000000 +0200 > +++ rancid-2.3.5-my/bin/rancid.in 2010-10-06 10:08:18.000000000 +0200 > @@ -698,7 +698,7 @@ > tr/\015//d; > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > - return(1) if ($type =~ /^(12[40]|7)/); > + return(1) if ($type =~ /^(12[40]|7|ASR100.)/); should this be return(1) if ($ios eq "XE"); > return(1) if (/^\s*\^\s*$/); > return(1) if (/Line has invalid autocommand /); > return(1) if (/(Invalid (input|command) detected|Type help or )/i); > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Wed Oct 6 22:38:40 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Oct 2010 15:38:40 -0700 Subject: [rancid] Noisy Cisco ASR1002 In-Reply-To: <201010061554.33180.mtinka@globaltransit.net> References: <201010061554.33180.mtinka@globaltransit.net> Message-ID: <20101006223840.GS310@shrubbery.net> Wed, Oct 06, 2010 at 03:54:32PM +0800, Mark Tinka: > Hello all. > > Following an upgrade to Cisco IOS XE 3.1S for the Cisco > ASR1002 router, there is a new level of logging activity > that is being written to the router's 'bootflash' file > system at least every few minutes. > > Our RANCID runs every half-hour, so e-mails have become > noisy and run the risk of desensitizing our NOC. thats different from show flash being redundant. what are new files? > Any suggestions on how this can be filtered without > affecting the 'dir bootflash' command used for the other > routers? > > All help appreciated. > > Cheers, > > Mark. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Wed Oct 6 22:40:38 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Oct 2010 15:40:38 -0700 Subject: [rancid] ignoring DHCP database files in flash In-Reply-To: References: Message-ID: <20101006224038.GT310@shrubbery.net> Wed, Oct 06, 2010 at 02:39:06PM -0400, Lee: > The DHCP database files weren't being ignored on c2800 routers: > > @@ -25,13 +25,13 @@ > !Flash: 8 194060 Jan 24 2009 02:19:30 atro_main2.au > !Flash: 10 322058 Jan 30 2010 00:58:38 atro_aa.au > !Flash: 11 462058 Apr 02 2010 15:16:38 atro_aa_4_2.au > !Flash: 12 384058 May 07 2010 23:00:40 atro_aa_5_7.au > !Flash: 13 59478200 Jun 03 2010 23:44:28 > c2800nm-adventerprisek9-mz.124-24.T3.bin > !Flash: 14 384058 May 17 2010 23:37:08 ATRO_AA_5_17.au > - !Flash: 15 4235 Oct 06 2010 09:37:44 dhcp_database.txt > + !Flash: 15 4235 Oct 06 2010 16:18:50 dhcp_database.txt > > sub ShowFlash also needs to ignore DHCP database files: > > diff -U 6 rancid-2.3.5/bin/rancid ~/rancid/bin/rancid > --- rancid-2.3.5/bin/rancid 2010-09-23 10:58:12.000000000 -0400 > +++ ~/rancid/bin/rancid 2010-10-06 13:22:37.000000000 -0400 > @@ -695,12 +695,13 @@ > print STDERR " In ShowFlash: $_" if ($debug); > > while () { > tr/\015//d; > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > + next if (/dhcp[-_]database/); ;# --LR-- rancid 2.3.5 already ignores if (/dhcp_[^. ]*\.txt/) { > return(1) if ($type =~ /^(12[40]|7)/); > return(1) if (/^\s*\^\s*$/); > return(1) if (/Line has invalid autocommand /); > return(1) if (/(Invalid (input|command) detected|Type help or )/i); > return(-1) if (/command authorization failed/i); > # the pager can not be disabled per-session on the PIX > > Lee > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Wed Oct 6 22:43:54 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Oct 2010 15:43:54 -0700 Subject: [rancid] term width changes In-Reply-To: References: Message-ID: <20101006224353.GU310@shrubbery.net> Wed, Oct 06, 2010 at 02:27:19PM -0400, Lee: > Maybe this falls into the "don't do that category", but I've been > doing rancid-run interactively as well as from cron no problem doing that. Wed, Oct 06, 2010 at 02:32:06PM -0400, Lee: > kind of looks like a typo - "set width" instead of :"term width" for a > not CatOS box: > > diff -U 6 rancid-2.3.5/bin/clogin ~/rancid/bin/clogin > --- rancid-2.3.5/bin/clogin 2010-09-23 10:58:12.000000000 -0400 > +++ ~/rancid/bin/clogin 2010-10-06 12:18:53.000000000 -0400 > @@ -886,22 +896,23 @@ > send "set width 80\r" > expect -re $prompt {} > send "set logging session disable\r" > } else { > send "terminal length 0\r" > expect -re $prompt {} > - send "set width 80\r" > + # --LR-- send "set width 80\r" > + send "terminal width 132\r" correct, my bug. it will be in the next version. From mtinka at globaltransit.net Wed Oct 6 23:52:11 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 7 Oct 2010 07:52:11 +0800 Subject: [rancid] Noisy Cisco ASR1002 In-Reply-To: <20101006223840.GS310@shrubbery.net> References: <201010061554.33180.mtinka@globaltransit.net> <20101006223840.GS310@shrubbery.net> Message-ID: <201010070752.11969.mtinka@globaltransit.net> On Thursday, October 07, 2010 06:38:40 am john heasley wrote: > thats different from show flash being redundant. what > are new files? The fix Marcus provided in a parallel e-mail worked for me. I guess I just didn't describe the problem well enough :-). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From hassan.hireche at corp.lecroupier.com Thu Oct 7 08:48:36 2010 From: hassan.hireche at corp.lecroupier.com (Hassan Hireche) Date: Thu, 7 Oct 2010 10:48:36 +0200 Subject: [rancid] Rancid SAN Switch (Brocade) Script Message-ID: Hello Nick, Could you send me your SANswitch script in order to grab config with rancid. Thanks a lot. Hassan HIRECHE From jguasco at LNCSA.FR Thu Oct 7 14:30:05 2010 From: jguasco at LNCSA.FR (Jeremy Guasco) Date: Thu, 07 Oct 2010 16:30:05 +0200 Subject: [rancid] H3C S3600 Figure out prompt Message-ID: <4CADD96D.9060903@lncsa.Fr> Hi, I would like to use Rancid with a H3C S3600 but I have an "Figure out prompt" error. Did someone resolve my problem ? Log : Getting missed routers: round 4. can not find channel named "exp6" while executing "close" ("foreach" body line 129) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/usr/lib/rancid/bin/h3clogin" line 657) 192.168.0.193 h3clogin error: Error: TIMEOUT reached 192.168.0.193: missed cmd(s): display domain,display ftm topology-database,display current-configuration,display password-control super,display cluster,dir /all unit2>flash:/,display device manuinfo,display xrn-fabric,display password-control,display fan,dir /all unit5>flash:/,display poe temperature-protection,display mirror all,display lacp sys,display fib,dir /all unit3>flash:/,display poe powersupply,display device,dir /all unit1>flash:/,display version,display link-aggregation verbose,display ssh server status,dir /all unit6>flash:/,display vlan all,display link-aggregation summary,dir /all unit7>flash:/,dir /all unit4>flash:/,display ip route,display power,display local-user,display boot-loader,dir /all unit8>flash:/ 192.168.0.193: End of run not found Jeremy From heas at shrubbery.net Thu Oct 7 17:28:42 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 7 Oct 2010 10:28:42 -0700 Subject: [rancid] H3C S3600 Figure out prompt In-Reply-To: <4CADD96D.9060903@lncsa.Fr> References: <4CADD96D.9060903@lncsa.Fr> Message-ID: <20101007172842.GD11150@shrubbery.net> Thu, Oct 07, 2010 at 04:30:05PM +0200, Jeremy Guasco: > Hi, > > I would like to use Rancid with a H3C S3600 but I have an "Figure out > prompt" error. > > Did someone resolve my problem ? > > Log : > Getting missed routers: round 4. > can not find channel named "exp6" this would inidicate that the device of the client (ssh/telnet) closed prematurely. though that with a timeout is odd; perhaps the script is closing the channel twice. if its really hanging on the prompt, try *login -d host > while executing > "close" > ("foreach" body line 129) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > send_user "$router\n" > > # Figure out prompt. > # Since autoena..." > (file "/usr/lib/rancid/bin/h3clogin" line 657) > 192.168.0.193 h3clogin error: Error: TIMEOUT reached > 192.168.0.193: missed cmd(s): display domain,display ftm > topology-database,display current-configuration,display password-control > super,display cluster,dir /all unit2>flash:/,display device > manuinfo,display xrn-fabric,display password-control,display fan,dir > /all unit5>flash:/,display poe temperature-protection,display mirror > all,display lacp sys,display fib,dir /all unit3>flash:/,display poe > powersupply,display device,dir /all unit1>flash:/,display > version,display link-aggregation verbose,display ssh server status,dir > /all unit6>flash:/,display vlan all,display link-aggregation summary,dir > /all unit7>flash:/,dir /all unit4>flash:/,display ip route,display > power,display local-user,display boot-loader,dir /all unit8>flash:/ > 192.168.0.193: End of run not found > > Jeremy > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From jethro.binks at strath.ac.uk Thu Oct 7 17:42:19 2010 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu, 7 Oct 2010 18:42:19 +0100 (BST) Subject: [rancid] H3C S3600 Figure out prompt In-Reply-To: <20101007172842.GD11150@shrubbery.net> References: <4CADD96D.9060903@lncsa.Fr> <20101007172842.GD11150@shrubbery.net> Message-ID: On Thu, 7 Oct 2010, john heasley wrote: > Thu, Oct 07, 2010 at 04:30:05PM +0200, Jeremy Guasco: > > Hi, > > > > I would like to use Rancid with a H3C S3600 but I have an "Figure out > > prompt" error. > > > > Did someone resolve my problem ? > > > > Log : > > Getting missed routers: round 4. > > can not find channel named "exp6" > > this would inidicate that the device of the client (ssh/telnet) closed > prematurely. though that with a timeout is odd; perhaps the script is > closing the channel twice. > > if its really hanging on the prompt, try *login -d host Nothing specific to add, other than please try the attached version of h3clogin. I fixed various issues with it in recent months, maybe it fixes this too. Jethro. > > > while executing > > "close" > > ("foreach" body line 129) > > invoked from within > > "foreach router [lrange $argv $i end] { > > set router [string tolower $router] > > send_user "$router\n" > > > > # Figure out prompt. > > # Since autoena..." > > (file "/usr/lib/rancid/bin/h3clogin" line 657) > > 192.168.0.193 h3clogin error: Error: TIMEOUT reached > > 192.168.0.193: missed cmd(s): display domain,display ftm > > topology-database,display current-configuration,display password-control > > super,display cluster,dir /all unit2>flash:/,display device > > manuinfo,display xrn-fabric,display password-control,display fan,dir > > /all unit5>flash:/,display poe temperature-protection,display mirror > > all,display lacp sys,display fib,dir /all unit3>flash:/,display poe > > powersupply,display device,dir /all unit1>flash:/,display > > version,display link-aggregation verbose,display ssh server status,dir > > /all unit6>flash:/,display vlan all,display link-aggregation summary,dir > > /all unit7>flash:/,dir /all unit4>flash:/,display ip route,display > > power,display local-user,display boot-loader,dir /all unit8>flash:/ > > 192.168.0.193: End of run not found > > > > Jeremy > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. -------------- next part -------------- #! /usr/local/bin/expect -- ## ## $Id: h3clogin.in,v 1.79 2004/05/27 21:57:52 heas Exp $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # The login expect scripts were based on Erik Sherk's gwtn, by permission. # # h3clogin - H3C (Huawei-3Com) login # # Most options are intuitive for logging into a Cisco router. # The default is to enable (thus -noenable). Some folks have # setup tacacs to have a user login at priv-lvl = 15 (enabled) # so the -autoenable flag was added for this case (don't go through # the process of enabling and the prompt will be the "#" prompt. # The default username password is the same as the vty password. # # Set to 1 to enable some debugging: exp_internal 0 # Usage line set usage "Usage: $argv0 \[-autoenable\] \[-noenable\] \[-c command\] \ \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p user-password\] \ \[-s script-file\] \[-t timeout\] \[-u username\] \ \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \ \[-y ssh_cypher_type\] router \[router...\]\n" # env(CLOGIN) may contain: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to automatically enable set avenable 1 # The default is that you login non-enabled (tacacs can have you login already # enabled) set avautoenable 0 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 set do_enapasswd 1 # attempt at platform switching. set platform "" # Find the user in the ENV, or use the unix userid. if {[ info exists env(CISCO_USER) ] } { set default_user $env(CISCO_USER) } elseif {[ info exists env(USER) ]} { set default_user $env(USER) } elseif {[ info exists env(LOGNAME) ]} { set default_user $env(LOGNAME) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [ catch {exec id} reason ] { send_error "\nError: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } # Sometimes routers take awhile to answer (the default is 10 sec) set timeout 45 # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Username -u* - -U* { if {! [ regexp .\[uU\](.+) $arg ignore user]} { incr i set username [ lindex $argv $i ] } # VTY Password } -p* - -P* { if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { incr i set userpasswd [ lindex $argv $i ] } set do_passwd 0 # VTY Password } -v* - -v* { if {! [ regexp .\[vV\](.+) $arg ignore passwd]} { incr i set passwd [ lindex $argv $i ] } set do_passwd 0 # Enable Username } -w* - -W* { if {! [ regexp .\[wW\](.+) $arg ignore enauser]} { incr i set enausername [ lindex $argv $i ] } # Environment variable to pass to -s scripts } -E* { if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { set E$varname $varvalue } else { send_user "\nError: invalid format for -E in $arg\n" exit 1 } # Enable Password } -e* { if {! [ regexp .\[e\](.+) $arg ignore enapasswd]} { incr i set enapasswd [ lindex $argv $i ] } set do_enapasswd 0 # Command to run. } -c* - -C* { if {! [ regexp .\[cC\](.+) $arg ignore command]} { incr i set command [ lindex $argv $i ] } set do_command 1 # Expect script to run. } -s* - -S* { if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [ lindex $argv $i ] } if { ! [ file readable $sfile ] } { send_user "\nError: Can't read $sfile\n" exit 1 } set do_script 1 # 'ssh -c' cypher type } -y* - -Y* { if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { incr i set cypher [ lindex $argv $i ] } # alternate cloginrc file } -f* - -F* { if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [ lindex $argv $i ] } # Timeout } -t* - -T* { if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { incr i set timeout [ lindex $argv $i ] } # Command file } -x* - -X { if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [ lindex $argv $i ] } if [ catch {set cmd_fd [open $cmd_file r]} reason ] { send_user "\nError: $reason\n" exit 1 } set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # Do we enable? } -noenable { set avenable 0 # Does tacacs automatically enable us? } -autoenable { set avautoenable 1 set avenable 0 } -* { send_user "\nError: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "\nError: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore ] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [ regexp "^/" $args ignore ] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router ] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "\nError: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } if [ catch {source $password_file} reason ] { send_user "\nError: $reason\n" exit 1 } } # Log into the router. proc login { router user userpswd passwd enapasswd cmethod cyphertype } { global spawn_id in_proc do_command do_script platform global prompt u_prompt p_prompt e_prompt sshcmd set in_proc 1 set uprompt_seen 0 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { if [string match "telnet*" $prog] { regexp {telnet(:([^[:space:]]+))*} $prog command suffix port if {"$port" == ""} { set retval [ catch {spawn telnet $router} reason ] } else { set retval [ catch {spawn telnet $router $port} reason ] } if { $retval } { send_user "\nError: telnet failed: $reason\n" exit 1 } } elseif [string match "ssh*" $prog] { regexp {ssh(:([^[:space:]]+))*} $prog command suffix port if {"$port" == ""} { set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ] } else { set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user -p $port $router} reason ] } if { $retval } { send_user "\nError: $sshcmd failed: $reason\n" exit 1 } } elseif ![string compare $prog "rsh"] { if [ catch {spawn rsh -l $user $router} reason ] { send_user "\nError: rsh failed: $reason\n" exit 1 } } else { puts "\nError: unknown connection method: $prog" return 1 } incr progs -1 sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } } # Here we get a little tricky. There are several possibilities: # the router can ask for a username and passwd and then # talk to the TACACS server to authenticate you, or if the # TACACS server is not working, then it will use the enable # passwd. Or, the router might not have TACACS turned on, # then it will just send the passwd. # if telnet fails with connection refused, try ssh expect { -re "(Connection refused|Secure connection \[^\n\r]+ refused)" { catch {close}; wait if !$progs { send_user "\nError: Connection Refused ($prog): $router\n" return 1 } } -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { catch {close}; wait if !$progs { send_user "\nError: Connection closed ($prog): $router\n" return 1 } } eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 } -nocase "unknown host\r" { catch {close}; send_user "\nError: Unknown host $router\n"; wait; return 1 } "Host is unreachable" { catch {close}; send_user "\nError: Host Unreachable: $router\n"; wait; return 1 } "No address associated with name" { catch {close}; send_user "\nError: Unknown host $router\n"; wait; return 1 } -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" { send "yes\r" send_user "\nHost $router added to the list of known hosts.\n" exp_continue } -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { send "no\r" send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" return 1 } -re "Offending key for .* \(yes\/no\)\?" { send "no\r" send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" return 1 } -re "(denied|Sorry)" { send_user "\nError: Check your passwd for $router\n" catch {close}; wait; return 1 } "Login failed" { send_user "\nError: Check your passwd for $router\n" return 1 } -re "% (Bad passwords|Authentication failed)" { send_user "\nError: Check your passwd for $router\n" return 1 } "Press any key to continue." { # send_user "Pressing the ANY key\n" send "\r" exp_continue } -re "Enter Selection: " { # Catalyst 1900s have some lame menu. Enter # K to reach a command-line. send "K\r" exp_continue; } -re "@\[^\r\n]+ $p_prompt" { # ssh pwd prompt sleep 1 send "$userpswd\r" exp_continue } -re "$u_prompt" { send "$user\r" set uprompt_seen 1 exp_continue } -re "$p_prompt" { sleep 1 if {$uprompt_seen == 1} { send "$userpswd\r" } else { send "$passwd\r" } exp_continue } -re "$prompt" { break; } "Login invalid" { send_user "\nError: Invalid login: $router\n"; catch {close}; wait; return 1 } } } set in_proc 0 return 0 } # Enable proc do_enable { enauser enapasswd } { global prompt in_proc global u_prompt e_prompt set in_proc 1 set enacmd "system-view" send "$enacmd\r" expect { -re "$u_prompt" { send "$enauser\r"; exp_continue} -re "$e_prompt" { send "$enapasswd\r"; exp_continue} -re "(denied|Sorry|Incorrect)" { # % Access denied - from local auth and poss. others send_user "\nError: Check your Enable passwd\n"; return 1 } "% Error in authentication" { send_user "\nError: Check your Enable passwd\n" return 1 } "% Bad passwords" { send_user "\nError: Check your Enable passwd\n" return 1 } } # We set the prompt variable (above) so script files don't need # to know what it is. set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command } { global in_proc platform set in_proc 1 # escape any parens in the prompt, such as "(enable)" regsub -all {[][)(]} $prompt {\\&} reprompt expect { -re $reprompt {} -re "\[\n\r]+" { exp_continue } } # this is the only way i see to get rid of more prompts in o/p..grrrrr log_user 0 # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] # The pager can not be turned off on some 3Com/H3C, so we have to look # for the "More" prompt. for {set i 0} {$i < $num_commands} { incr i} { send "[subst -nocommands [lindex $commands $i]]\r" expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } -re "^ ---- More ----.*\[^\n\r]*" { sleep 0.1 send " " exp_continue } } } } else { # The pager can not be turned off on some 3Com/H3C, so we have to look # for the "More" prompt. send "[subst -nocommands $command]\r" expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } -re "^ ---- More ----.*\[^\n\r]*" { sleep 0.1 send " " exp_continue } } } log_user 1 send "quit\r" expect { -re "^\[^\n\r *]*$reprompt" { # H3C products # return to non-enabled mode # on exit in enabled mode. send "quit\r" exp_continue; } # TODO: we will need to do this too: # "Do you wish to save your configuration changes" { # send "n\r" # exp_continue # } -re "\[\n\r]+" { exp_continue } # hwlogin+mod: -re "\[^\n\r *]Note:" { return 0 } timeout { return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoenable is off by default, if we have it defined, it # was done on the command line. If it is not specifically set on the # command line, check the password file. if $avautoenable { set autoenable 1 set enable 0 # hwlogin: #set prompt "(#| \\(enable\\))" set prompt ">" } else { set ae [find autoenable $router] if { "$ae" == "1" } { set autoenable 1 set enable 0 # hwlogin: set prompt ">" } else { set autoenable 0 set enable $avenable set prompt ">" } } # look for noenable option in .cloginrc # Strath: but I do not know why I made this change, and it does not appear # to be reflected in other *rancid in svn trunk. # if [find noenable $router] != "" if { [find noenable $router] == "1" } { send_user "\nset enable 0.\n" set enable 0 } # Figure out passwords if { $do_passwd || $do_enapasswd } { set pswd [find password $router] if { [llength $pswd] == 0 } { send_user "\nError: no password for $router in $password_file.\n" continue } if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd] < 2 } { send_user "\nError: no enable password for $router in $password_file.\n" continue } set passwd [join [lindex $pswd 0] ""] set enapasswd [join [lindex $pswd 1] ""] } # Figure out username if {[info exists username]} { # command line username set ruser $username } else { set ruser [join [find user $router] ""] if { "$ruser" == "" } { set ruser $default_user } } # Figure out username's password (if different from the vty password) if {[info exists userpasswd]} { # command line username set userpswd $userpasswd } else { set userpswd [join [find userpassword $router] ""] if { "$userpswd" == "" } { set userpswd $passwd } } # Figure out enable username if {[info exists enausername]} { # command line enausername set enauser $enausername } else { set enauser [join [find enauser $router] ""] if { "$enauser" == "" } { set enauser $ruser } } # Figure out prompts set u_prompt [find userprompt $router] if { "$u_prompt" == "" } { set u_prompt "(Username|Login|login|user name):" } else { set u_prompt [join [lindex $u_prompt 0] ""] } set p_prompt [find passprompt $router] if { "$p_prompt" == "" } { set p_prompt "(\[Pp]assword|passwd):" } else { set p_prompt [join [lindex $p_prompt 0] ""] } set e_prompt [find enableprompt $router] if { "$e_prompt" == "" } { set e_prompt "\[Pp]assword:" } else { set e_prompt [join [lindex $e_prompt 0] ""] } # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } # Figure out the SSH executable name set sshcmd [find sshcmd $router] if { "$sshcmd" == "" } { set sshcmd {ssh} } # Login to the router if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype]} { continue } # Disable log junk being sent to terminal: must be done before $enacmd is run # It would be nice for this to be setable in .cloginrc send "undo terminal monitor\r" expect -re $prompt {} # Turn session paging off; this only works on models like 3Com 4800G and H3C # Other models like 3Com 5500 have a screen-length command that only works on # a vty basis send "screen-length disable\r" if { $enable } { if {[do_enable $enauser $enapasswd]} { if { $do_command || $do_script } { close; wait continue } } } # we are logged in, now figure out the full prompt send "\r" expect { -re "\[\r\n]+" { exp_continue; } -re "^.+$prompt" { set junk $expect_out(0,string); regsub -all "\[\]\[]" $junk {\\&} prompt; } -re "^.+> \\\(enable\\\)" { set junk $expect_out(0,string); regsub -all "\[\]\[]" $junk {\\&} prompt; } } if { $do_command } { if {[run_commands $prompt $command]} { continue } } elseif { $do_script } { # # If the prompt is (enable), then we are on a switch and the # # command is "set length 0"; otherwise its "term length 0". # if [ regexp -- ".*> .*enable" "$prompt" ] { # send "set length 0\r" # send "set logging session disable\r" # } else { # send "term length 0\r" # } expect -re $prompt {} source $sfile close } else { label $router log_user 1 interact } # End of for each router wait sleep 0.3 } exit 0 From ler762 at gmail.com Thu Oct 7 20:45:42 2010 From: ler762 at gmail.com (Lee) Date: Thu, 7 Oct 2010 16:45:42 -0400 Subject: [rancid] ignoring DHCP database files in flash In-Reply-To: <20101006224038.GT310@shrubbery.net> References: <20101006224038.GT310@shrubbery.net> Message-ID: On 10/6/10, john heasley wrote: > Wed, Oct 06, 2010 at 02:39:06PM -0400, Lee: >> The DHCP database files weren't being ignored on c2800 routers: >> >> @@ -25,13 +25,13 @@ >> !Flash: 8 194060 Jan 24 2009 02:19:30 atro_main2.au >> !Flash: 10 322058 Jan 30 2010 00:58:38 atro_aa.au >> !Flash: 11 462058 Apr 02 2010 15:16:38 atro_aa_4_2.au >> !Flash: 12 384058 May 07 2010 23:00:40 atro_aa_5_7.au >> !Flash: 13 59478200 Jun 03 2010 23:44:28 >> c2800nm-adventerprisek9-mz.124-24.T3.bin >> !Flash: 14 384058 May 17 2010 23:37:08 ATRO_AA_5_17.au >> - !Flash: 15 4235 Oct 06 2010 09:37:44 dhcp_database.txt >> + !Flash: 15 4235 Oct 06 2010 16:18:50 dhcp_database.txt >> >> sub ShowFlash also needs to ignore DHCP database files: >> >> diff -U 6 rancid-2.3.5/bin/rancid ~/rancid/bin/rancid >> --- rancid-2.3.5/bin/rancid 2010-09-23 10:58:12.000000000 -0400 >> +++ ~/rancid/bin/rancid 2010-10-06 13:22:37.000000000 -0400 >> @@ -695,12 +695,13 @@ >> print STDERR " In ShowFlash: $_" if ($debug); >> >> while () { >> tr/\015//d; >> last if (/^$prompt/); >> next if (/^(\s*|\s*$cmd\s*)$/); >> + next if (/dhcp[-_]database/); ;# --LR-- > > rancid 2.3.5 already ignores > > if (/dhcp_[^. ]*\.txt/) { Which is why I included an example of the file "dhcp_database.txt" showing up in the change log. rancid 2.3.5 has > if (/dhcp_[^. ]*\.txt/) { only in sub DirSlotN - you need another test for ignoring dhcp files in sub ShowFlash Regards, Lee From lcaron at unix-scripts.info Fri Oct 8 12:20:38 2010 From: lcaron at unix-scripts.info (Laurent CARON) Date: Fri, 08 Oct 2010 14:20:38 +0200 Subject: [rancid] H3C S3600 Figure out prompt In-Reply-To: References: <4CADD96D.9060903@lncsa.Fr> <20101007172842.GD11150@shrubbery.net> Message-ID: <4CAF0C96.80006@unix-scripts.info> On 07/10/2010 19:42, Jethro R Binks wrote: > Nothing specific to add, other than please try the attached version of > h3clogin. I fixed various issues with it in recent months, maybe it fixes > this too. Hi, It fails with: rancid at camylla:~$ /usr/lib/rancid/bin/h3clogin -f ./.h3clogin 192.168.0.193 ": no such file or directory rancid at camylla:~$ /usr/lib/rancid/bin/h3clogin ": no such file or directory rancid at camylla:~$ Any thoughts ? From jethro.binks at strath.ac.uk Fri Oct 8 12:38:11 2010 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri, 8 Oct 2010 13:38:11 +0100 (BST) Subject: [rancid] H3C S3600 Figure out prompt In-Reply-To: <4CAF0C96.80006@unix-scripts.info> References: <4CADD96D.9060903@lncsa.Fr> <20101007172842.GD11150@shrubbery.net> <4CAF0C96.80006@unix-scripts.info> Message-ID: On Fri, 8 Oct 2010, Laurent CARON wrote: > On 07/10/2010 19:42, Jethro R Binks wrote: > > Nothing specific to add, other than please try the attached version of > > h3clogin. I fixed various issues with it in recent months, maybe it fixes > > this too. > > Hi, > > It fails with: > rancid at camylla:~$ /usr/lib/rancid/bin/h3clogin -f ./.h3clogin 192.168.0.193 > ": no such file or directory > > > rancid at camylla:~$ /usr/lib/rancid/bin/h3clogin > ": no such file or directory > rancid at camylla:~$ Check the path to expect on the first #! line? Compare with the usual clogin etc. J. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From lcaron at unix-scripts.info Fri Oct 8 12:41:06 2010 From: lcaron at unix-scripts.info (Laurent CARON) Date: Fri, 08 Oct 2010 14:41:06 +0200 Subject: [rancid] H3C S3600 Figure out prompt In-Reply-To: References: <4CADD96D.9060903@lncsa.Fr> <20101007172842.GD11150@shrubbery.net> <4CAF0C96.80006@unix-scripts.info> Message-ID: <4CAF1162.5080408@unix-scripts.info> On 08/10/2010 14:38, Jethro R Binks wrote: > On Fri, 8 Oct 2010, Laurent CARON wrote: > >> On 07/10/2010 19:42, Jethro R Binks wrote: >>> Nothing specific to add, other than please try the attached version of >>> h3clogin. I fixed various issues with it in recent months, maybe it fixes >>> this too. >> >> Hi, >> >> It fails with: >> rancid at camylla:~$ /usr/lib/rancid/bin/h3clogin -f ./.h3clogin 192.168.0.193 >> ": no such file or directory >> >> >> rancid at camylla:~$ /usr/lib/rancid/bin/h3clogin >> ": no such file or directory >> rancid at camylla:~$ > > Check the path to expect on the first #! line? Compare with the usual > clogin etc. > rancid at camylla:~$ grep bin /usr/lib/rancid/bin/h3clogin #! /usr/bin/expect -- rancid at camylla:~$ grep bin /usr/lib/rancid/bin/clogin #! /usr/bin/expect -- From mnazriz at gmail.com Sun Oct 10 15:20:12 2010 From: mnazriz at gmail.com (Mohd Nazri Zawawi) Date: Sun, 10 Oct 2010 23:20:12 +0800 Subject: [rancid] Rancid for Alcatel-Lucent SR 7450 Message-ID: Hi, Did anyone has the Rancid code for Alcatel-Lucent SR 7450 router? I've tried to modified the code but still can't capture the output. I want to capture the below output in Rancid. Appreciate your help. tq /mnazriz Alcatel-Lucent 7450 Output ~~~~~~~~~~~~~~~~~~~~ A:EPEALBV01# show version TiMOS-C-7.0.R6 cpm/hops ALCATEL ESS 7450 Copyright (c) 2000-2009 Alcatel-Lucent. All rights reserved. All use subject to applicable license agreements. Built on Mon Nov 23 16:12:12 PST 2009 by builder in /rel7.0/b1/R6/panos/main A:EPEALBV01# logout Connection to epealbv01 closed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Oct 12 05:16:02 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Oct 2010 05:16:02 +0000 Subject: [rancid] do_saveconfig In-Reply-To: References: Message-ID: <20101012051601.GD22694@shrubbery.net> Sat, Sep 18, 2010 at 10:20:09PM -1000, Richard Zheng: > Hi, > > I'd like to save config when config is different, e.g. run 'wr mem' on > cisco. There is a flag do_saveconfig on clogin. I changed it to 1, nothing > happens. > > Is it possible to set it somewhere else? it only works for a few of the platforms that prompt to save the config, such as force10, cisco css, hp procurve, etc. ios does not prompt. From heas at shrubbery.net Tue Oct 12 05:22:42 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Oct 2010 05:22:42 +0000 Subject: [rancid] post-processing the diff listing before mailing? In-Reply-To: References: Message-ID: <20101012052242.GE22694@shrubbery.net> Wed, Sep 22, 2010 at 01:04:16PM -0400, Lee: > Anyone like the idea of processing the diff listing before mailing it out? > > I'd rather have rancid collect the configs and not mess with them - > ie: rancid.conf has > FILTER_PWDS=NO > NOCOMMSTR=NO > ACLSORT=NO > but I don't want things like SNMP community strings or > encrypted/obfuscated passwords being mailed out.. So my idea is > post-processing the diff listing before emailing it out. Which would > also let me know which configs changed so I could check the new > configs & mail out a 'local config standards violations' email :) > > The code is really ugly, but as a proof of concept.. why not do this outside of rancid; mail it to a script that processes it's input, such as you've done here, and emails the result to your diff-receivers list. everyone can have their own flavor of diff post-processing. > "control_rancid" line 447 > # This has been different for different machines... > # Diff the directory and then checkin. > trap 'rm -fr $TMP $TMP.diff $DIR/routers.single;' 1 2 15 > cd $DIR > if [ $RCSSYS = "cvs" ] ; then > # --LR-- cvs -f diff -U 4 -ko | sed -e '/^RCS file: /d' -e '/^--- /d' \ > # --LR-- 4 is not enough, 8 seems a bit much so try 6 > cvs -f diff -U 6 -ko | sed -e '/^RCS file: /d' -e '/^--- /d' \ > -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff > else > svn diff | sed -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff > fi > > # --LR-- begin: check configs of changed devices > grep "^Index: " $TMP.diff |\ > awk '/^Index: configs/{ > if ( ! got1 ) { > printf("echo\necho\necho Config check results:\n~/bin/ckConfig.sh ") > got1=1 > } > printf("%s ", $2) > } > END{ if (got1) printf("\necho == results end ==\n") } > ' >$TMP.doit > /bin/sh $TMP.doit >> $TMP.diff > ~/bin/sanitize.sh $TMP.diff >$TMP.doit > /bin/mv $TMP.doit $TMP.diff > # --LR-- end: check configs of changed devices > > if [ $alt_mailrcpt -eq 1 ] ; then > subject="router config diffs - courtesy of $mailrcpt" > else > subject="router config diffs" > fi > > > Lee > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Tue Oct 12 05:36:25 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Oct 2010 05:36:25 +0000 Subject: [rancid] post-processing the diff listing before mailing? In-Reply-To: <20101012052242.GE22694@shrubbery.net> References: <20101012052242.GE22694@shrubbery.net> Message-ID: <20101012053625.GG22694@shrubbery.net> Tue, Oct 12, 2010 at 05:22:42AM +0000, john heasley: > Wed, Sep 22, 2010 at 01:04:16PM -0400, Lee: > > Anyone like the idea of processing the diff listing before mailing it out? > > > > I'd rather have rancid collect the configs and not mess with them - > > ie: rancid.conf has > > FILTER_PWDS=NO > > NOCOMMSTR=NO > > ACLSORT=NO > > but I don't want things like SNMP community strings or > > encrypted/obfuscated passwords being mailed out.. So my idea is > > post-processing the diff listing before emailing it out. Which would > > also let me know which configs changed so I could check the new > > configs & mail out a 'local config standards violations' email :) > > > > The code is really ugly, but as a proof of concept.. > > why not do this outside of rancid; mail it to a script that processes > it's input, such as you've done here, and emails the result to your > diff-receivers list. everyone can have their own flavor of diff > post-processing. btw, also see rancid-/share/rtrfilter. From peo at chalmers.se Tue Oct 12 05:50:07 2010 From: peo at chalmers.se (Per-Olof Olsson) Date: Tue, 12 Oct 2010 07:50:07 +0200 Subject: [rancid] do_saveconfig In-Reply-To: <20101012051601.GD22694@shrubbery.net> References: <20101012051601.GD22694@shrubbery.net> Message-ID: <4CB3F70F.7020704@chalmers.se> john heasley wrote: > Sat, Sep 18, 2010 at 10:20:09PM -1000, Richard Zheng: >> Hi, >> >> I'd like to save config when config is different, e.g. run 'wr mem' on >> cisco. There is a flag do_saveconfig on clogin. I changed it to 1, nothing >> happens. >> >> Is it possible to set it somewhere else? > > it only works for a few of the platforms that prompt to save the config, > such as force10, cisco css, hp procurve, etc. ios does not prompt. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss Not working for newer hp procurve! You have to "logout" from manager level to get save config prompt. Rancid 2.3.5. diff -c hlogin.in.ORG hlogin.in *************** *** 563,569 **** } } log_user 1 ! send -h "exit\r" expect { "Do you want to save current configuration" { if {$do_saveconfig} { --- 563,569 ---- } } log_user 1 ! send -h "logout\r" expect { "Do you want to save current configuration" { if {$do_saveconfig} { /Peo ---------------------------------------------------------- Per-Olof Olsson Email: peo at chalmers.se Chalmers tekniska h?gskola IT-service H?rsalsv?gen 5 412 96 G?teborg Tel: 031/772 6738 Fax: 031/772 8660 ---------------------------------------------------------- From heas at shrubbery.net Tue Oct 12 05:56:25 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Oct 2010 05:56:25 +0000 Subject: [rancid] do_saveconfig In-Reply-To: <4CB3F70F.7020704@chalmers.se> References: <20101012051601.GD22694@shrubbery.net> <4CB3F70F.7020704@chalmers.se> Message-ID: <20101012055625.GJ22694@shrubbery.net> Tue, Oct 12, 2010 at 07:50:07AM +0200, Per-Olof Olsson: > john heasley wrote: >> Sat, Sep 18, 2010 at 10:20:09PM -1000, Richard Zheng: >>> Hi, >>> >>> I'd like to save config when config is different, e.g. run 'wr mem' on >>> cisco. There is a flag do_saveconfig on clogin. I changed it to 1, nothing >>> happens. >>> >>> Is it possible to set it somewhere else? >> >> it only works for a few of the platforms that prompt to save the config, >> such as force10, cisco css, hp procurve, etc. ios does not prompt. >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > Not working for newer hp procurve! > You have to "logout" from manager level to get save config prompt. that is not sufficient. logout does not work in previous s/w, so it must try one then the other. > Rancid 2.3.5. > diff -c hlogin.in.ORG hlogin.in > > *************** > *** 563,569 **** > } > } > log_user 1 > ! send -h "exit\r" > expect { > "Do you want to save current configuration" { > if {$do_saveconfig} { > --- 563,569 ---- > } > } > log_user 1 > ! send -h "logout\r" > expect { > "Do you want to save current configuration" { > if {$do_saveconfig} { > > > > /Peo > ---------------------------------------------------------- > Per-Olof Olsson Email: peo at chalmers.se > Chalmers tekniska h?gskola IT-service > H?rsalsv?gen 5 412 96 G?teborg > Tel: 031/772 6738 Fax: 031/772 8660 > ---------------------------------------------------------- From cderemer at phoebe.org Wed Oct 13 16:25:19 2010 From: cderemer at phoebe.org (Christopher DeRemer) Date: Wed, 13 Oct 2010 12:25:19 -0400 Subject: [rancid] WLC diff process tweak Message-ID: <671DC9312DF0CC4D8A7F3ABE978DD5ADE84D5B0CC4@MAIL.phoebe.local> I'm running the the latest build, and using the WLC script I have diffs a couple times a day because our Lobby Administrators are adding guest WiFi users all the time. I'm looking at a way to ignore the whole "net user" section of the config. If I have to recover the controller with the rancid config I really don't care about what users had guest WiFi access, I care about production :) I'm terrible at expect / regex, and by that I mean I can't do it at all! Anyone have a line or two I can add in to ignore this. Sample diff output: Index: configs/10.10.3.25 =================================================================== - -- configs/10.10.3.25 (revision 340) @@ -132,14 +132,12 @@ netuser add jdelong **** wlan 2 userType guest lifetime 604800 description Guest of John DeLong netuser add lchristiansen **** wlan 2 userType permanent description Doctor "Emeralds!" netuser add ms **** wlan 2 userType guest lifetime 2592000 description - netuser add mschick **** wlan 2 userType guest lifetime 172800 description netuser add mwagner **** wlan 2 userType guest lifetime 1209600 description Mark Wagner - #108 netuser add savadelis **** wlan 2 userType guest lifetime 2592000 description Guest of Savadelis netuser add todd **** wlan 2 userType permanent description AramarkIT netuser add yzhang **** wlan 2 userType permanent description Dr. Zhang netuser lifetime jdelong 604800 netuser lifetime ms 2592000 - netuser lifetime mschick 172800 netuser lifetime mwagner 1209600 netuser lifetime savadelis 2592000 netuser wlan-id bparker 2 @@ -147,7 +145,6 @@ netuser wlan-id jdelong 2 netuser wlan-id lchristiansen 2 netuser wlan-id ms 2 - netuser wlan-id mschick 2 netuser wlan-id mwagner 2 netuser wlan-id savadelis 2 netuser wlan-id todd 2 Also for anyone that has had trouble with the WLC scripts in the past, I had to change the command table from executing "show running-config" to show run-config commands" because show running-config was depreciated and made the 5.2.193 version barf. I'm not sure about versions after that, because we are slow to upgrade due to high-availability needs. Cheers Christopher DeRemer, CCENT Network Administrator Phoebe Services 484.619.2168 (Single # Reach) ________________________________ NOTICE: This confidential message/attachment contains information intended for a specific individual(s). Any inappropriate use, distribution or duplication is strictly prohibited. If received in error, notify the sender and immediately delete this transmission. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mtinka at globaltransit.net Thu Oct 14 14:15:49 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 14 Oct 2010 22:15:49 +0800 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 Message-ID: <201010142215.49763.mtinka@globaltransit.net> Hello all. IOS XE 3.1S (and maybe later) has a bug on the ASR1006 platform where an empty file called 'foo.bar' (no, really), gets created on the hard drive file system. Deleting this file does not help, and the router recreates it. The file is regularly modified, so RANCID is always catching changes each time it runs. Bug ID CSCth48537 has been opened for this, but no news on when a fix will be available. On the CRS-1, a file called 'volt_cont' is constantly being written to. This file stores environmental monitoring of system voltages. This is not a bug, and is working as designed. Is there any way we can get RANCID to silence the changes in these files, without losing any changes to any other files in the same file systems? Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ler762 at gmail.com Thu Oct 14 16:59:56 2010 From: ler762 at gmail.com (Lee) Date: Thu, 14 Oct 2010 12:59:56 -0400 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: <201010142215.49763.mtinka@globaltransit.net> References: <201010142215.49763.mtinka@globaltransit.net> Message-ID: On 10/14/10, Mark Tinka wrote: > Hello all. > > IOS XE 3.1S (and maybe later) has a bug on the ASR1006 > platform where an empty file called 'foo.bar' (no, really), > gets created on the hard drive file system. > > Deleting this file does not help, and the router recreates > it. > > The file is regularly modified, so RANCID is always catching > changes each time it runs. Bug ID CSCth48537 has been opened > for this, but no news on when a fix will be available. > > On the CRS-1, a file called 'volt_cont' is constantly being > written to. This file stores environmental monitoring of > system voltages. This is not a bug, and is working as > designed. > > Is there any way we can get RANCID to silence the changes in > these files, without losing any changes to any other files > in the same file systems? As a temporary work-around, you could change rancid to ignore them - take a look at sub ShowFlash and/or sub DirSlotN. If the file size changes you might also want to ignore the " bytes available " line. We've got some routers acting as a DHCP server and saving the DHCP database to flash. It's a bit puzzling ar first to see the free space change with no file changes listed. Regards, Lee From ler762 at gmail.com Thu Oct 14 16:59:56 2010 From: ler762 at gmail.com (Lee) Date: Thu, 14 Oct 2010 12:59:56 -0400 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: <201010142215.49763.mtinka@globaltransit.net> References: <201010142215.49763.mtinka@globaltransit.net> Message-ID: On 10/14/10, Mark Tinka wrote: > Hello all. > > IOS XE 3.1S (and maybe later) has a bug on the ASR1006 > platform where an empty file called 'foo.bar' (no, really), > gets created on the hard drive file system. > > Deleting this file does not help, and the router recreates > it. > > The file is regularly modified, so RANCID is always catching > changes each time it runs. Bug ID CSCth48537 has been opened > for this, but no news on when a fix will be available. > > On the CRS-1, a file called 'volt_cont' is constantly being > written to. This file stores environmental monitoring of > system voltages. This is not a bug, and is working as > designed. > > Is there any way we can get RANCID to silence the changes in > these files, without losing any changes to any other files > in the same file systems? As a temporary work-around, you could change rancid to ignore them - take a look at sub ShowFlash and/or sub DirSlotN. If the file size changes you might also want to ignore the " bytes available " line. We've got some routers acting as a DHCP server and saving the DHCP database to flash. It's a bit puzzling ar first to see the free space change with no file changes listed. Regards, Lee From denyipanyany at gmail.com Thu Oct 14 23:49:49 2010 From: denyipanyany at gmail.com (Deny IP Any Any) Date: Thu, 14 Oct 2010 19:49:49 -0400 Subject: [rancid] f5rancid and chassis fan speed/ShowSslCrt issues Message-ID: Greetings. I have a copy of f5rancid (version 1.8 perhaps?) currently gathering config info from a F5 BIG-IP Version 9.4.7 perfectly fine. I have another F5 unit, running BIG-IP 9.4.8 Build 355.0 Final, which is giving me some trouble, described below. For some reason, when I manually run "rancid-run -r" against the new box, it gathers the config fine. When rancid runs via crontab, it complains about missing the ShowSslKey/ShowSslCrt commands ("missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key"; I have simply removed the troublesome lines from my @commandtable for the time being. The other issue is that F5 has decided to include the chassis fan speed in the output from 'bigpipe platform', which causes hourly diffs. Such as: [root at Dev-F5:Active] config # bigpipe platform | grep -A 1 "CHASSIS FAN" +-> CHASSIS FAN | | (1) active - 10887rpm (2) active - 11250rpm (3) active - 11250rpm [root at Dev-F5:Active] config # bigpipe platform | grep -A 1 "CHASSIS FAN" +-> CHASSIS FAN | | (1) active - 10546rpm (2) active - 10887rpm (3) active - 10887rpm [root at Dev-F5:Active] config # bigpipe platform | grep -A 1 "CHASSIS FAN" +-> CHASSIS FAN | | (1) active - 10887rpm (2) active - 10887rpm (3) active - 11250rpm Is there a newer/better f5rancid that would work around either of these issues? -- deny ip any any (4393649193 matches) From mtinka at globaltransit.net Fri Oct 15 03:06:10 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 15 Oct 2010 11:06:10 +0800 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: References: <201010142215.49763.mtinka@globaltransit.net> Message-ID: <201010151106.11551.mtinka@globaltransit.net> On Friday, October 15, 2010 12:59:56 am Lee wrote: > As a temporary work-around, you could change rancid to > ignore them - take a look at sub ShowFlash and/or sub > DirSlotN. For IOS XR, RANCID already has this: # filter frequently changing files from IOX bootflash if ($dev =~ /bootflash/) { next if (/temp_cont\s*$/); next if (/uptime_cont\s*$/); Would adding another line for 'volt_cont' be all that's needed? Chers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ler762 at gmail.com Fri Oct 15 12:41:16 2010 From: ler762 at gmail.com (Lee) Date: Fri, 15 Oct 2010 08:41:16 -0400 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: <201010151106.11551.mtinka@globaltransit.net> References: <201010142215.49763.mtinka@globaltransit.net> <201010151106.11551.mtinka@globaltransit.net> Message-ID: On 10/14/10, Mark Tinka wrote: > On Friday, October 15, 2010 12:59:56 am Lee wrote: > >> As a temporary work-around, you could change rancid to >> ignore them - take a look at sub ShowFlash and/or sub >> DirSlotN. > > For IOS XR, RANCID already has this: > > # filter frequently changing files from IOX bootflash > if ($dev =~ /bootflash/) { > next if (/temp_cont\s*$/); > next if (/uptime_cont\s*$/); > > Would adding another line for 'volt_cont' be all that's > needed? If volt_cont is showing up in bootflash:, yes, that would probably do it Regards, Lee From mtinka at globaltransit.net Fri Oct 15 12:50:01 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 15 Oct 2010 20:50:01 +0800 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: References: <201010142215.49763.mtinka@globaltransit.net> <201010151106.11551.mtinka@globaltransit.net> Message-ID: <201010152050.02452.mtinka@globaltransit.net> On Friday, October 15, 2010 08:41:16 pm Lee wrote: > If volt_cont is showing up in bootflash:,.. Yes, it is: RP/0/RP0/CPU0:lab#dir bootflash: Fri Oct 15 20:46:29.630 MYT Directory of bootflash: 12582915 -rw- 60984 Tue Jun 29 05:26:20 2010 uptime_cont 12582918 -rw- 24 Tue Jun 29 05:26:20 2010 env_hist 12582920 -rw- 764 Tue Jun 29 05:26:20 2010 env_cont 12582923 -rw- 232 Tue Jun 29 05:27:56 2010 temp_static_data 12582927 -rw- 548 Tue Jun 29 05:27:56 2010 volt_static_data 12582931 -rw- 1516 Tue Jun 29 05:27:59 2010 temp_hist 12582933 -rw- 29155 Tue Jun 29 05:27:59 2010 temp_cont 12582936 -rw- 2460 Tue Jun 29 05:27:59 2010 volt_hist 12582938 -rw- 37488 Tue Jun 29 05:27:59 2010 volt_cont 12582941 -rw- 1304 Tue Jun 29 05:30:31 2010 uptime_hist 12582947 drwx 48 Tue Jun 29 05:39:25 2010 disk0 1769534 -rw- 24 Tue Jun 29 05:43:45 2010 errmsg_hist 1769536 -rw- 6475 Tue Jun 29 05:43:45 2010 errmsg_cont 1769541 -rw- 0 Tue Jun 29 05:48:30 2010 mbi_image 8847362 -rw- 32 Tue Jun 29 05:51:44 2010 uptime_static_data 8847370 -rw- 28 Tue Jun 29 05:52:25 2010 env_static_data 8847421 -rw- 24 Tue Jun 29 06:16:16 2010 diag_hist 8847424 -rw- 24 Tue Jun 29 06:16:16 2010 diag_cont 62390272 bytes total (50585352 bytes free) RP/0/RP0/CPU0:lab# > yes, that would > probably do it I've had it in there for about 6hrs now, but RANCID keeps picking it up (30-minute intervals). The comment for this line in the script says: "filter frequently changing files from IOX bootflash" Uncertain what 'frequently' actually means. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ler762 at gmail.com Fri Oct 15 13:40:53 2010 From: ler762 at gmail.com (Lee) Date: Fri, 15 Oct 2010 09:40:53 -0400 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: <201010152050.02452.mtinka@globaltransit.net> References: <201010142215.49763.mtinka@globaltransit.net> <201010151106.11551.mtinka@globaltransit.net> <201010152050.02452.mtinka@globaltransit.net> Message-ID: On 10/15/10, Mark Tinka wrote: > On Friday, October 15, 2010 08:41:16 pm Lee wrote: > >> If volt_cont is showing up in bootflash:,.. > > Yes, it is: <.. snip example ..> > >> yes, that would >> probably do it > > I've had it in there for about 6hrs now, but RANCID keeps > picking it up (30-minute intervals). I guess the next thing to check is the line in router.db for that router. Is it xxx:cisco:up or some other device type? Take a look at rancid-fe for what gets called for what device type. If you've got the router defined as "cisco-xr" you'd need to modify DirSlotN in xrrancid to ignore that file > The comment for this line in the script says: > > "filter frequently changing files from IOX bootflash" > > Uncertain what 'frequently' actually means. Probably that the file changes often enough that nobody wants to see it showing up in the diffs Regards, Lee From mtinka at globaltransit.net Fri Oct 15 13:48:08 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 15 Oct 2010 21:48:08 +0800 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: References: <201010142215.49763.mtinka@globaltransit.net> <201010152050.02452.mtinka@globaltransit.net> Message-ID: <201010152148.14562.mtinka@globaltransit.net> On Friday, October 15, 2010 09:40:53 pm Lee wrote: > I guess the next thing to check is the line in router.db > for that router. Is it xxx:cisco:up or some other > device type? Take a look at rancid-fe for what gets > called for what device type. If you've got the router > defined as "cisco-xr" you'd need to modify DirSlotN in > xrrancid to ignore that file Yes, it's setup as ':cisco-xr'. I'll patch 'xrrancid'. > Probably that the file changes often enough that nobody > wants to see it showing up in the diffs Ignore that :-), clearly IOS XR has its own script and I didn't catch that. Will let you know how it goes. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ler762 at gmail.com Fri Oct 15 14:11:20 2010 From: ler762 at gmail.com (Lee) Date: Fri, 15 Oct 2010 10:11:20 -0400 Subject: [rancid] post-processing the diff listing before mailing? In-Reply-To: <20101012053625.GG22694@shrubbery.net> References: <20101012052242.GE22694@shrubbery.net> <20101012053625.GG22694@shrubbery.net> Message-ID: On 10/12/10, john heasley wrote: > Tue, Oct 12, 2010 at 05:22:42AM +0000, john heasley: >> Wed, Sep 22, 2010 at 01:04:16PM -0400, Lee: >> > Anyone like the idea of processing the diff listing before mailing it >> > out? >> > >> > I'd rather have rancid collect the configs and not mess with them - >> > ie: rancid.conf has >> > FILTER_PWDS=NO >> > NOCOMMSTR=NO >> > ACLSORT=NO >> > but I don't want things like SNMP community strings or >> > encrypted/obfuscated passwords being mailed out.. So my idea is >> > post-processing the diff listing before emailing it out. Which would >> > also let me know which configs changed so I could check the new >> > configs & mail out a 'local config standards violations' email :) >> > >> > The code is really ugly, but as a proof of concept.. >> >> why not do this outside of rancid; mail it to a script that processes >> it's input, such as you've done here, and emails the result to your >> diff-receivers list. Mainly because I'm not confident of my ability to get that working correctly 100% of the time. Adding another line or two to the existing script seems much less error-prone :) > everyone can have their own flavor of diff >> post-processing. > > btw, also see rancid-/share/rtrfilter. Thanks for the pointer. The problem I have with rtrfilter is that it deletes lines & I want to know if something is added or changed, but I don't want sensitive info mailed out. here's my sanitize.sh - any suggestions for what else should be blanked out? ============ #!/bin/sh # script to sanitize a ciscso config # awk ' /^Index: configs/ { if ( NR != 1) printf("\n\n\n") } { # IOS stuph strip("key 7 ", "xXxXxX") strip("md5 7 ", "xXxXxX") strip("password 7 ", "xXxXxX") strip("secret 5 ", "xXxXxX") strip("snmp-server community ", "xXxXxX") strip("crypto isakmp key ", "xXxXxX") strip("tacacs-server key 7 ", "xXxXxX") # CatOS stuph strip("set password " , "xXxXxX") strip("set enablepass ", "xXxXxX") strip("set snmp community read-only " , "xXxXxX") strip("set snmp community read-write " , "xXxXxX") strip("set snmp community read-write-all ", "xXxXxX") strip("set tacacs key ", "xXxXxX") print $0 } func strip(s, r) { sub(s " *[^ ]*", s r, $0) } ' $1 ============= Thanks, Lee From mtinka at globaltransit.net Fri Oct 15 15:45:38 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 15 Oct 2010 23:45:38 +0800 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: <201010152148.14562.mtinka@globaltransit.net> References: <201010142215.49763.mtinka@globaltransit.net> <201010152148.14562.mtinka@globaltransit.net> Message-ID: <201010152345.44936.mtinka@globaltransit.net> On Friday, October 15, 2010 09:48:08 pm Mark Tinka wrote: > Will let you know how it goes. Works! Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ler762 at gmail.com Fri Oct 15 20:04:17 2010 From: ler762 at gmail.com (Lee) Date: Fri, 15 Oct 2010 16:04:17 -0400 Subject: [rancid] ASR1006 - IOS XE 3.1S, CRS-1 - IOS XR 3.9.1 In-Reply-To: <201010152345.44936.mtinka@globaltransit.net> References: <201010142215.49763.mtinka@globaltransit.net> <201010152148.14562.mtinka@globaltransit.net> <201010152345.44936.mtinka@globaltransit.net> Message-ID: On 10/15/10, Mark Tinka wrote: > On Friday, October 15, 2010 09:48:08 pm Mark Tinka wrote: > >> Will let you know how it goes. > > Works! Yay! I'm glad you got it working Regatds, Lee From alligator94 at wanadoo.fr Sat Oct 16 06:52:47 2010 From: alligator94 at wanadoo.fr (Alligator) Date: Sat, 16 Oct 2010 08:52:47 +0200 Subject: [rancid] Use rancid to back up the CTS logs Message-ID: <388E0C9D3FC84C44A0E10E98881B6B46@PCdeMARCEL> Hello , I need your help .I have read the forum and didn't find anything about Cisco CTS boxes. I would like to adapt rancid/cvs to backup the logs of a Cisco CTSxxxx because even if it is a cisco box, it is unable to send its logs to a syslog server . The only way is to ssh in the box , and type a "file view" command and as there is no "term length 0 " command , you need to enter " " until the last page. So : 1) I have to use ssh 2) there is no enable password 3) the prompt is admin: 4) the command to get the logs is : file view log sysop/sysop00001.log 5) you need to enter a "space" to go to the next screen when you have the message : More data : enter, space, b, s, e or q loop until you get : End of file : b, s, or q then you need to type "q" to go back to the prompt "admin:" then type quit to exit the box I have updated the .cloginrc file to use ssh with noenable password : ok I have added an entry in the file rancid-fe to use ctsrancid for this box : ok I have copied clogin to ctslogin and rancid to ctsrancid I have removed the cisco commands and added my command in the ctsrancid file Could someone help me as I don't know where to change the "prompt", the "More" ad the "End of file" in the ctslogin file There is only one command to type and the output doesn't need to be formatted ( I just want to see the logs) . It should be nice to have a template with some variables to set with the different prompts I have the "exploring expect guide" and I try to understand but , not so easy for me. I don't know what is the rancid version we use in Ubuntu . ls -l /var/lib/rancid/bin shows 2009-08-20 . Thank you for any help Alli -------------- next part -------------- An HTML attachment was scrubbed... URL: From diego.ercolani at ssis.sm Tue Oct 19 14:13:44 2010 From: diego.ercolani at ssis.sm (Diego Ercolani) Date: Tue, 19 Oct 2010 16:13:44 +0200 Subject: [rancid] DONE: Implementation of the (generic) linux configuration backup-versioning DEVELOPMENT VERSION Message-ID: <201010191613.45090.diego.ercolani@ssis.sm> Hello, after an year I've updated the script which is responsible of backup a linux box configuration files using rancid. This files are committed to 2.3.2 version of rancid as is the version which I currently run in production environment. This version is based on the version from july 2009 http://www.shrubbery.net/pipermail/rancid-discuss/2009-July/004036.html difference is primarly only the fact that It can handle more sophisticated shell prompt and is also capable of escaping denied expect sequence (like of course "[" and "]") Current version of rancid probably have to be revised to use these scripts..... I didn't have time to align my patches to current version.... it would be nice if developers create a sort of common library of function to use from expect sources and perl sources to create a sort of "SDK" to write own rancid modules.... and then provide a repository where people can upload their contributions. To do this it have to be stabilized the infrastructure Hope this help. Diego -------------- next part -------------- A non-text attachment was scrubbed... Name: lrancid.tgz Type: application/x-compressed-tar Size: 11923 bytes Desc: not available URL: From smunzani at comcast.net Tue Oct 19 14:30:20 2010 From: smunzani at comcast.net (Sam Munzani) Date: Tue, 19 Oct 2010 09:30:20 -0500 Subject: [rancid] DONE: Implementation of the (generic) linux configuration backup-versioning DEVELOPMENT VERSION In-Reply-To: <201010191613.45090.diego.ercolani@ssis.sm> References: <201010191613.45090.diego.ercolani@ssis.sm> Message-ID: <4CBDAB7C.8050105@comcast.net> Diego, Does your patch allow for use of sudo? Thanks, Sam > Hello, after an year I've updated the script which is responsible of backup a > linux box configuration files using rancid. > > This files are committed to 2.3.2 version of rancid as is the version which I > currently run in production environment. > > This version is based on the version from july 2009 > http://www.shrubbery.net/pipermail/rancid-discuss/2009-July/004036.html > > difference is primarly only the fact that It can handle more sophisticated > shell prompt and is also capable of escaping denied expect sequence > (like of course "[" and "]") > > Current version of rancid probably have to be revised to use these > scripts..... I didn't have time to align my patches to current version.... it > would be nice if developers create a sort of common library of function to use > from expect sources and perl sources to create a sort of "SDK" to write own > rancid modules.... and then provide a repository where people can upload their > contributions. > To do this it have to be stabilized the infrastructure > > Hope this help. > Diego > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From reini.k at gmail.com Wed Oct 20 14:37:45 2010 From: reini.k at gmail.com (Reinhard Kucera) Date: Wed, 20 Oct 2010 16:37:45 +0200 Subject: [rancid] clogin -c Message-ID: Hey, Is it possible to send commands to the router everytime I do rancid-run? For example, I want to running config copied to a tftp server. With clogin I would to: clogin -c "copy running-conf tftp://1.1.1.1/dir/switch.conf" switch-name As rancid is using clogin, can I somehow use the -c option from clogin for each device? ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From reini.k at gmail.com Wed Oct 20 13:43:48 2010 From: reini.k at gmail.com (Reinhard Kucera) Date: Wed, 20 Oct 2010 15:43:48 +0200 Subject: [rancid] e-mail summary notification Message-ID: Hey, first, thanks to Shrubbery for this, well, awesome tool :) I am running it on FreeBSD and everything is working fine. I'm using it to monitor and backup around 40 Cisco devices. So here is the thing: I would prefer that I am not getting an email with all the changes everytime I do rancid-run but getting an email, telling me that it backupped all the 40 routers successfully and that the configs of router number (e.g.) 12 and 36 have been changed. Then, if I want to, I can look it up on the CVS respository. If there are no changes, rancid doesn't backup, so the e-mail could say, there were no changes and there is no backup but it was kinda successfully. Is there any way to do that? ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From ugob at lubik.ca Fri Oct 22 17:54:49 2010 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri, 22 Oct 2010 13:54:49 -0400 Subject: [rancid] Rancid problem using h3c switches Message-ID: Hi, We've been using Rancid for our Cisco and Procurve switches, and since we bought a pair of H3C s5800, I'd like to use rancid for them as well. I followed the instructions here http://sites.google.com/site/jrbinks/code/rancid/h3c (thanks Jethro) and then I edited h3clogin to make sure the shebang pointed to the right location of expect. But I can't get it to work yet. Here is what I get for the h3clogin command: [rancid at rancid bin]$ h3clogin -autoenable -t 5 -c "dis device" switch1 atq-irf-1.atqlan.agri-tracabilite.qc.ca spawn ssh -c 3des -x -l manager switch1 manager at switch1's password: ****************************************************************************** * Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** undo terminal monitor Info: Current terminal monitor is off. Error: TIMEOUT reached =================== Any help would be appreciated. Thanks, Ugo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jethro.binks at strath.ac.uk Fri Oct 22 18:57:17 2010 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri, 22 Oct 2010 19:57:17 +0100 (BST) Subject: [rancid] Rancid problem using h3c switches In-Reply-To: References: Message-ID: On Fri, 22 Oct 2010, Ugo Bellavance wrote: > We've been using Rancid for our Cisco and Procurve switches, and since > we bought a pair of H3C s5800, I'd like to use rancid for them as well. > > I followed the instructions here > http://sites.google.com/site/jrbinks/code/rancid/h3c (thanks Jethro) and > then I edited h3clogin to make sure the shebang pointed to the right > location of expect. But I can't get it to work yet. I'll send you a new version privately, although I've never tested on S5800 I expect it should work. Jethro. > > Here is what I get for the h3clogin command: > > [rancid at rancid bin]$ h3clogin -autoenable -t 5 -c "dis device" switch1 > atq-irf-1.atqlan.agri-tracabilite.qc.ca > spawn ssh -c 3des -x -l manager switch1 > manager at switch1's password: > > ****************************************************************************** > * Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved. > * > * Without the owner's prior written consent, > * > * no decompiling or reverse-engineering shall be allowed. > * > ****************************************************************************** > > undo terminal monitor > Info: Current terminal monitor is off. > > > > Error: TIMEOUT reached > =================== > > Any help would be appreciated. > > Thanks, > > Ugo > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From heas at shrubbery.net Sat Oct 23 21:36:02 2010 From: heas at shrubbery.net (john heasley) Date: Sat, 23 Oct 2010 21:36:02 +0000 Subject: [rancid] e-mail summary notification In-Reply-To: References: Message-ID: <20101023213602.GE20029@shrubbery.net> Wed, Oct 20, 2010 at 03:43:48PM +0200, Reinhard Kucera: > Hey, > first, thanks to Shrubbery for this, well, awesome tool :) > I am running it on FreeBSD and everything is working fine. I'm using it to > monitor and backup around 40 Cisco devices. > > So here is the thing: I would prefer that I am not getting an email with all > the changes everytime I do rancid-run but getting an email, telling me that > it backupped all the 40 routers successfully and that the configs of router > number (e.g.) 12 and 36 have been changed. > Then, if I want to, I can look it up on the CVS respository. > If there are no changes, rancid doesn't backup, so the e-mail could say, > there were no changes and there is no backup but it was kinda successfully. > > Is there any way to do that? pipe the mail to a script and count the cvs index lines w/ grep. it doesnt send mail when there are no changes. it does send mail about devices that havent been successful in OLDTIME hours. From heas at shrubbery.net Sat Oct 23 21:40:49 2010 From: heas at shrubbery.net (john heasley) Date: Sat, 23 Oct 2010 21:40:49 +0000 Subject: [rancid] clogin -c In-Reply-To: References: Message-ID: <20101023214048.GF20029@shrubbery.net> Wed, Oct 20, 2010 at 04:37:45PM +0200, Reinhard Kucera: > Hey, > Is it possible to send commands to the router everytime I do rancid-run? For > example, I want to running config copied to a tftp server. With clogin I > would to: > > clogin -c "copy running-conf tftp://1.1.1.1/dir/switch.conf" switch-name > > As rancid is using clogin, can I somehow use the -c option from clogin for > each device? just run it, before rancid starts, for each line in routers.up. From mvalencia at comteco.com.bo Wed Oct 27 14:00:23 2010 From: mvalencia at comteco.com.bo (Mauricio Valencia) Date: Wed, 27 Oct 2010 14:00:23 +0000 (UTC) Subject: [rancid] tntlogin close conection after open it Message-ID: Hi all, I have configured rancid in ubuntu 10.10 64bits and it works fine with cisco units, but i want to monitor a lucent tnt box, i have this config for .cloginrc add password tnttest {passwd} and when i test the login i get this: rancid at jetfire:/$ /usr/lib/rancid/bin/tntlogin tnttest tnttest spawn telnet tnttest Trying 10.4.1.72... Connected to tnttest. Escape character is '^]'. User: rancid Password: rancid> ? Error: TIMEOUT reached rancid at jetfire:/$ ? ?: command not found Any clues, please help me From ler762 at gmail.com Wed Oct 27 20:12:53 2010 From: ler762 at gmail.com (Lee) Date: Wed, 27 Oct 2010 16:12:53 -0400 Subject: [rancid] anyone have rancid working for a nexus 5000? Message-ID: rancid log says write(spawn_id=1): broken pipe while executing "send_user -- "$expect_out(buffer)"" invoked from within when trying to get the config from a nexus 5000. I've tried it with the device configured as type "cisco" as well as "cisco-nx" - no joy either way. For whatever it's worth, rancid does fine on a nexus 7000 (device type=cisco-nx) and a nexus 4000 (device type=cisco). Any hints on getting it working or figuring out what the problem is with a nexus 5000? Thanks, Lee From brez at brezworks.com Wed Oct 27 23:18:55 2010 From: brez at brezworks.com (Jeremy Bresley) Date: Wed, 27 Oct 2010 18:18:55 -0500 Subject: [rancid] anyone have rancid working for a nexus 5000? In-Reply-To: References: Message-ID: <4CC8B35F.2050707@brezworks.com> On 10/27/2010 3:12 PM, Lee wrote: > rancid log says > > write(spawn_id=1): broken pipe > while executing > "send_user -- "$expect_out(buffer)"" > invoked from within > > when trying to get the config from a nexus 5000. I've tried it with > the device configured as type "cisco" as well as "cisco-nx" - no joy > either way. > > For whatever it's worth, rancid does fine on a nexus 7000 (device > type=cisco-nx) and a nexus 4000 (device type=cisco). Any hints on > getting it working or figuring out what the problem is with a nexus > 5000? > > > Thanks, > Lee I've got rancid 2.3.5 working against 3 N5020s. We don't have TACACS on ours yet, just using local auth, one change you might need is to add the following to .cloginrc: add autoenable 1 Hope this helps. Jeremy From codefire.geo at yahoo.com Thu Oct 28 21:28:02 2010 From: codefire.geo at yahoo.com (Adam Coven) Date: Thu, 28 Oct 2010 14:28:02 -0700 (PDT) Subject: [rancid] Trouble compiling expect / expect hack Message-ID: <329761.55059.qm@web110307.mail.gq1.yahoo.com> I'm running CentOS 2.6.18-194.17.1.el5PAE I downloaded the files from the ftp site: expect-5.43.0_hack.tar.bz2 tcl8.3.4.tar.gz TCL compiled fine but when I try to compile expect I get: exp_chan.c: In function ?ExpInputProc?: exp_chan.c:193: error: array type has incomplete element type exp_chan.c:204: error: ?POLLIN? undeclared (first use in this function) exp_chan.c:204: error: (Each undeclared identifier is reported only once exp_chan.c:204: error: for each function it appears in.) exp_chan.c:204: error: ?POLLERR? undeclared (first use in this function) exp_chan.c:204: error: ?POLLHUP? undeclared (first use in this function) exp_chan.c:204: error: ?POLLNVAL? undeclared (first use in this function) exp_chan.c: In function ?expWaitOnAny?: exp_chan.c:538: warning: passing argument 2 of ?waitpid? from incompatible pointer type make: *** [exp_chan.o] Error 1 Has anyone come across this and / or knows how I could fix it? Thanks in advance, Codefire -------------- next part -------------- An HTML attachment was scrubbed... URL: From ler762 at gmail.com Fri Oct 29 13:52:45 2010 From: ler762 at gmail.com (Lee) Date: Fri, 29 Oct 2010 09:52:45 -0400 Subject: [rancid] anyone have rancid working for a nexus 5000? In-Reply-To: <4CC8B35F.2050707@brezworks.com> References: <4CC8B35F.2050707@brezworks.com> Message-ID: On 10/27/10, Jeremy Bresley wrote: > On 10/27/2010 3:12 PM, Lee wrote: >> rancid log says >> >> write(spawn_id=1): broken pipe >> while executing >> "send_user -- "$expect_out(buffer)"" >> invoked from within >> >> when trying to get the config from a nexus 5000. I've tried it with >> the device configured as type "cisco" as well as "cisco-nx" - no joy >> either way. >> >> For whatever it's worth, rancid does fine on a nexus 7000 (device >> type=cisco-nx) and a nexus 4000 (device type=cisco). Any hints on >> getting it working or figuring out what the problem is with a nexus >> 5000? >> >> >> Thanks, >> Lee > > I've got rancid 2.3.5 working against 3 N5020s. We don't have TACACS on > ours yet, just using local auth, one change you might need is to add the > following to .cloginrc: > add autoenable 1 > > Hope this helps. Yes, it does. Works for you means it's something I've done, something special in our login banner or ?? Have you applied the patch for dealing with autoenable being left out? (http://www.shrubbery.net/pipermail/rancid-discuss/2010-August/005160.html) Maybe I'll try backing that out. Thanks, Lee From dean at fragfest.com.au Sat Oct 30 02:33:28 2010 From: dean at fragfest.com.au (Dean Hamstead) Date: Fri, 29 Oct 2010 18:33:28 -0800 Subject: [rancid] Screen shots of Ranci Message-ID: Hi Rancid Community, Im looking for some screen shots of rancid 'in the wild' to help put together a solution design presentation which uses rancid. I realize of course that much of the magic of rancid is not really screen-shot-able, and that once configs are loaded in to cvs/svn its up to the source control viewing software. So with that totally understood, im hoping a few helpful people might be able to snap some screenshots of rancid in action with a variety of hardware (Cisco, Juniper, HP etc), of some configs being viewed (and diffed etc) in their cvs/svn (hopefully with a few different viewing softwares), even some emails from their systems. Of course, please remove or obscure anything sensitive. Thank you to anyone who can spare a moment to help a stranger :) Dean