From philipp at redfish-solutions.com Sat Dec 3 00:54:11 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Sat, 03 Dec 2016 00:54:11 -0000 Subject: [rancid] Logging/encryption patches sent last month In-Reply-To: <2086D8F0-A3E2-4203-A9E0-0BED788E04D3@redfish-solutions.com> References: <2086D8F0-A3E2-4203-A9E0-0BED788E04D3@redfish-solutions.com> Message-ID: <9267190B-04E9-4697-909C-22F7A62863A8@redfish-solutions.com> > On Oct 19, 2016, at 12:08 PM, Philip Prindeville wrote: > > I was going to submit packaging for tac_plus on Redhat (Fedora, CentOS, EPEL, RHEL) but if the project is no longer accepting patches then I don?t want to be in a position to have to maintain distro-specific patches for Redhat with no hope of upstreaming them. Looking at the tarball, I?m seeing a .spec file? but it doesn?t conform to some Fedora packaging requirements? like avoiding embedding files as here-documents in the .spec file. Are there any objections to breaking those files out? Thanks, -Philip -------------- next part -------------- An HTML attachment was scrubbed... URL: From on at LEFerguson.com Fri Dec 2 18:31:52 2016 From: on at LEFerguson.com (on at LEFerguson.com) Date: Fri, 2 Dec 2016 18:31:52 +0000 Subject: [rancid] rancid - Cisco WLC devices References: <7451D4018F28FD479AD780242296607191727F07@SIILPEOSVEX01.skin.local> <20161130190429.GG51915@shrubbery.net> <7451D4018F28FD479AD780242296607191728062@SIILPEOSVEX01.skin.local> <20161130191957.GI51915@shrubbery.net> Message-ID: > Can I just install this over the current version that I have running. I set this up through the package in Ubuntu. It took me a really long time to get all this working as a am a newbie with this. I am currently on version 3.3.0. I just wanted to think you for bringing this up and the answers. I didn't even bother trying the WLC's as they are so weird, but after a bit of digging (magic name for me was cisco-wlc5, there's also a 4) it seemed to work perfectly. I found I also needed "noenable" defined for these, not sure if that's our setup or normal. But having done that it all worked perfectly. To the OP, if the distros are out of date (and it looks as though they are), you might look at just building it yourself. While the paths will end up differently, this is about all it takes on Ubuntu to get a working config built from source. DO NOT JUST DO THIS on a working system as the paths change, and any existing rancid will be separate and trying to run at the same time, perhaps. I just offer this as sometimes "build from source" sounds so ominous, but it's not here. This presumes you have the required libraries, which you should have most of with a distro package installed. I don't have a rancid only list as I have so many other items installed, or I would share it. wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.5.1.tar.gz tar -zxvf rancid-3.5.1.tar.gz cd rancid-3.5.1 ./configure --prefix=/home/rancid --localstatedir=/home/rancid/var/rancid make install You could play with the configs, as mentioned, and probably get them to build over the same paths. With the above I think you need to change the rancid's account's PATH also to include the new bin directory this creates. But if you have a system you can experiment on, you can keep it more up to date with building it yourself, without a lot of trouble. Thanks. Linwood From Brad.Shifflett at micromenders.com Mon Dec 5 23:23:12 2016 From: Brad.Shifflett at micromenders.com (Brad Shifflett) Date: Mon, 5 Dec 2016 23:23:12 +0000 Subject: [rancid] Need to pull certain info from configs Message-ID: I want to run a command to search all of our devices, report back which firewalls and devices have ssh opened to the outside world. Example: ssh 0.0.0.0 0.0.0.0 Any idea on how we can do that? I recall doing a grep for serial numbers and asa-versions Brad Shifflett --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com --------------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.hughes at keystonenap.com Mon Dec 5 23:38:57 2016 From: doug.hughes at keystonenap.com (Doug Hughes) Date: Mon, 5 Dec 2016 18:38:57 -0500 Subject: [rancid] Need to pull certain info from configs In-Reply-To: References: Message-ID: <5513614d-5daf-aca6-5315-9cd28fd71098@keystonenap.com> you can do just like you said. grep 'ssh 0.0.0.0 0.0.0.0' from all of your configs On 12/5/2016 6:23 PM, Brad Shifflett wrote: > I want to run a command to search all of our devices, report back > which firewalls and devices have ssh opened to the outside world. > Example: ssh 0.0.0.0 0.0.0.0 > > Any idea on how we can do that? I recall doing a grep for serial > numbers and asa-versions > > Brad Shifflett > > > ------------------------------------------------------------------------ > This email has been scanned for email related threats and delivered > safely by Mimecast. > For more information please visit http://www.mimecast.com > ------------------------------------------------------------------------ > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss -- Doug Hughes Keystone NAP Fairless Hills, PA 1.844.KEYBLOCK (539.2562) -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: keystone-nap.png Type: image/png Size: 3476 bytes Desc: not available URL: From on at LEFerguson.com Tue Dec 6 00:14:59 2016 From: on at LEFerguson.com (on at LEFerguson.com) Date: Tue, 6 Dec 2016 00:14:59 +0000 Subject: [rancid] Need to pull certain info from configs Message-ID: >I want to run a command to search all of our devices, report back which >firewalls and devices have ssh opened to the outside world. Example: ssh 0.0.0.0 0.0.0.0 If you have an NMS that can be a good hook if this is something you want to do on an automated, e.g. recurring basis. I use Zabbix, and I wrote some fairly simple minder parsing routines to find the config from the name (pretty easy given the directory structure in rancid) and then parse out what IPSec tunnels were defined. Then with SNMP polling I get which SNMP tunnels are up, and can compare the two to see if any are failing, turned down, never started, etc. But you could parse for most anything and tie to an NMS data collection. But for one-time needs, grep is perfect -- it's quite nice having them all pulled as text files as they are in Rancid. Linwood -------------- next part -------------- An HTML attachment was scrubbed... URL: From imd at acens.com Wed Dec 7 15:50:33 2016 From: imd at acens.com (=?iso-8859-1?Q?I=F1aki_Mart=EDnez_D=EDez?=) Date: Wed, 7 Dec 2016 15:50:33 +0000 Subject: [rancid] Migration from Rancid 2.3.8 (Debian 6.0.10 Package) to new Rancid 3.x (latest) Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: acens_mail_g.gif Type: image/gif Size: 7644 bytes Desc: acens_mail_g.gif URL: From heas at shrubbery.net Wed Dec 7 16:09:34 2016 From: heas at shrubbery.net (heasley) Date: Wed, 7 Dec 2016 16:09:34 +0000 Subject: [rancid] Migration from Rancid 2.3.8 (Debian 6.0.10 Package) to new Rancid 3.x (latest) In-Reply-To: References: Message-ID: <20161207160934.GC85632@shrubbery.net> Wed, Dec 07, 2016 at 03:50:33PM +0000, I?aki Mart?nez D?ez: >

My intention in to HOLD Rancid Packages and upgrade Debian to versi?n 8.6 and then migrate Rancid to the newest versi?n.

there is an UPGRADING file in the distribution with notes about moving from 2.x to 3.x. From heas at shrubbery.net Wed Dec 7 17:38:50 2016 From: heas at shrubbery.net (heasley) Date: Wed, 7 Dec 2016 17:38:50 +0000 Subject: [rancid] supermicro switch (again) In-Reply-To: References: <20161116201401.GM27885@shrubbery.net> <20161121063521.GC73648@shrubbery.net> <20161121153310.GE73648@shrubbery.net> Message-ID: <20161207173850.GK85632@shrubbery.net> Tue, Nov 22, 2016 at 01:47:00PM +0100, Marcin Dulak: > On Mon, Nov 21, 2016 at 4:33 PM, heasley wrote: > > > Mon, Nov 21, 2016 at 10:26:25AM +0100, Marcin Dulak: > > > naively I do: > > > cp usr/share/perl5/vendor_perl/rancid/edgemax.pm > > > usr/share/perl5/vendor_perl/rancid/supermicro.pm > > > change "package supermicro;" on the top and add a print STDERR ("I'm > > > here"); to ShowVersion, > > > but "I'm here" does no appear in the output of: > > > > you havent a module line in the device config below, so the module is not > > loaded. > > > > > thanks, this was missing. It was also important to specify the module to be > used with "supermicro;script;rancid -t supermicro". > Based on rancid-3.5.1, I managed to get the basic information out of the > switch with the following changes: > > $ cat etc/rancid/rancid.types.conf > supermicro;script;rancid -t supermicro > supermicro;login;smlogin > supermicro;inloop;supermicro::inloop > supermicro;module;supermicro > supermicro;command;supermicro::ShowVersion;show version > supermicro;command;supermicro::WriteTerm;show running-config do you/anyone have one of these that I can access remotely? From gmourani at gmail.com Thu Dec 8 15:08:28 2016 From: gmourani at gmail.com (Gerhard Mourani) Date: Thu, 8 Dec 2016 10:08:28 -0500 Subject: [rancid] Fortigate OSPF MD5 key Message-ID: <3562C498-DC24-4C95-B4F0-9825DC3E0DB0@gmail.com> Hello, I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time. set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2" Does someone know how I can exclude this kind of line to be taken? Gerhard, -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Dec 8 17:33:55 2016 From: heas at shrubbery.net (heasley) Date: Thu, 8 Dec 2016 17:33:55 +0000 Subject: [rancid] Fortigate OSPF MD5 key In-Reply-To: <20161208172838.4062F1CFA57@sea.shrubbery.net> <3562C498-DC24-4C95-B4F0-9825DC3E0DB0@gmail.com> Message-ID: <20161208173355.GD21846@shrubbery.net> Thu, Dec 08, 2016 at 10:08:28AM -0500, Gerhard Mourani: > I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time. > > set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2" > > Does someone know how I can exclude this kind of line to be taken? Based on rancid 3.6, i think this will filter it, lmk if it doesn't: Index: bin/fnrancid.in =================================================================== --- bin/fnrancid.in (revision 3536) +++ bin/fnrancid.in (working copy) @@ -228,7 +228,7 @@ next; } # filter cycling password encryption - if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i && + if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i && ($filter_osc || $filter_pwds > 0)) { ProcessHistory("ENC","","","#$1 ENC $3\n"); next; From gmourani at gmail.com Thu Dec 8 18:29:53 2016 From: gmourani at gmail.com (Gerhard Mourani) Date: Thu, 8 Dec 2016 13:29:53 -0500 Subject: [rancid] Fortigate OSPF MD5 key In-Reply-To: <20161208173355.GD21846@shrubbery.net> References: <20161208173355.GD21846@shrubbery.net> Message-ID: <84E1EC40-EAF8-4EFC-9DA6-D26A099616BB@gmail.com> It doesn't, I've md5-key + auth-password now! worse then before. I'm using Rancid version 3.2.11 and here my original lines: # filter cycling password encryption if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { ProcessHistory("ENC","","","#$1 ENC $3\n"); next; } Gerhard, > On Dec 8, 2016, at 12:33 PM, heasley wrote: > > Thu, Dec 08, 2016 at 10:08:28AM -0500, Gerhard Mourani: >> I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time. >> >> set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2" >> >> Does someone know how I can exclude this kind of line to be taken? > > Based on rancid 3.6, i think this will filter it, lmk if it doesn't: > > Index: bin/fnrancid.in > =================================================================== > --- bin/fnrancid.in (revision 3536) > +++ bin/fnrancid.in (working copy) > @@ -228,7 +228,7 @@ > next; > } > # filter cycling password encryption > - if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i && > + if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i && > ($filter_osc || $filter_pwds > 0)) { > ProcessHistory("ENC","","","#$1 ENC $3\n"); > next; > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Dec 8 18:45:44 2016 From: heas at shrubbery.net (heasley) Date: Thu, 8 Dec 2016 18:45:44 +0000 Subject: [rancid] Fortigate OSPF MD5 key In-Reply-To: <84E1EC40-EAF8-4EFC-9DA6-D26A099616BB@gmail.com> References: <20161208173355.GD21846@shrubbery.net> <84E1EC40-EAF8-4EFC-9DA6-D26A099616BB@gmail.com> Message-ID: <20161208184544.GH21846@shrubbery.net> Thu, Dec 08, 2016 at 01:29:53PM -0500, Gerhard Mourani: > It doesn't, I've md5-key + auth-password now! worse then before. > > I'm using Rancid version 3.2.11 and here my original lines: $filter_osc isnt in 3.2 (besides that there never was a 3.2.11). If you included that when you patched your script, I'm not sure what the result would be. Otherwise, it looks like it should have worked for both cases. if you can provide a .raw file, i can fix this more easily: export NOPIPE=YES fnrancid -dl hostname send hostname.raw to me as an attachment. > # filter cycling password encryption > if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { > ProcessHistory("ENC","","","#$1 ENC $3\n"); > next; > } > > Gerhard, > > > On Dec 8, 2016, at 12:33 PM, heasley wrote: > > > > Thu, Dec 08, 2016 at 10:08:28AM -0500, Gerhard Mourani: > >> I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time. > >> > >> set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2" > >> > >> Does someone know how I can exclude this kind of line to be taken? > > > > Based on rancid 3.6, i think this will filter it, lmk if it doesn't: > > > > Index: bin/fnrancid.in > > =================================================================== > > --- bin/fnrancid.in (revision 3536) > > +++ bin/fnrancid.in (working copy) > > @@ -228,7 +228,7 @@ > > next; > > } > > # filter cycling password encryption > > - if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i && > > + if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i && > > ($filter_osc || $filter_pwds > 0)) { > > ProcessHistory("ENC","","","#$1 ENC $3\n"); > > next; > > > From heas at shrubbery.net Fri Dec 9 18:22:50 2016 From: heas at shrubbery.net (heasley) Date: Fri, 9 Dec 2016 18:22:50 +0000 Subject: [rancid] Fortigate OSPF MD5 key In-Reply-To: <20161209182137.EA19F8E690@sea.shrubbery.net> <20161208184544.GH21846@shrubbery.net> Message-ID: <20161209182250.GD24603@shrubbery.net> Thu, Dec 08, 2016 at 06:45:44PM +0000, heasley: > Thu, Dec 08, 2016 at 01:29:53PM -0500, Gerhard Mourani: > > It doesn't, I've md5-key + auth-password now! worse then before. > > > > I'm using Rancid version 3.2.11 and here my original lines: > > $filter_osc isnt in 3.2 (besides that there never was a 3.2.11). If you > included that when you patched your script, I'm not sure what the result > would be. Otherwise, it looks like it should have worked for both cases. > > if you can provide a .raw file, i can fix this more easily: > export NOPIPE=YES > fnrancid -dl hostname > send hostname.raw to me as an attachment. > > > # filter cycling password encryption > > if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { > > ProcessHistory("ENC","","","#$1 ENC $3\n"); > > next; > > } > > > > Gerhard, This appears to work: Index: fnrancid.in =================================================================== --- fnrancid.in (revision 3460) +++ fnrancid.in (working copy) @@ -228,9 +228,9 @@ next; } # filter cycling password encryption - if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i && + if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i && ($filter_osc || $filter_pwds > 0)) { - ProcessHistory("ENC","","","#$1 ENC $3\n"); + ProcessHistory("ENC","","","#$1 ENC $4\n"); next; } ProcessHistory("","","","$_"); From gmourani at gmail.com Fri Dec 9 19:38:54 2016 From: gmourani at gmail.com (Gerhard Mourani) Date: Fri, 9 Dec 2016 14:38:54 -0500 Subject: [rancid] Fortigate OSPF MD5 key In-Reply-To: <20161209182250.GD24603@shrubbery.net> References: <20161209182250.GD24603@shrubbery.net> Message-ID: <17C01952-22EC-4207-AC17-B2EFA7C5E4EA@gmail.com> Yes, it appears to work. I'll continue to check it for some days and will let you know if something change. Big thanks for your great help here. > On Dec 9, 2016, at 1:22 PM, heasley wrote: > > Thu, Dec 08, 2016 at 06:45:44PM +0000, heasley: >> Thu, Dec 08, 2016 at 01:29:53PM -0500, Gerhard Mourani: >>> It doesn't, I've md5-key + auth-password now! worse then before. >>> >>> I'm using Rancid version 3.2.11 and here my original lines: >> >> $filter_osc isnt in 3.2 (besides that there never was a 3.2.11). If you >> included that when you patched your script, I'm not sure what the result >> would be. Otherwise, it looks like it should have worked for both cases. >> >> if you can provide a .raw file, i can fix this more easily: >> export NOPIPE=YES >> fnrancid -dl hostname >> send hostname.raw to me as an attachment. >> >>> # filter cycling password encryption >>> if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { >>> ProcessHistory("ENC","","","#$1 ENC $3\n"); >>> next; >>> } >>> >>> Gerhard, > > This appears to work: > > Index: fnrancid.in > =================================================================== > --- fnrancid.in (revision 3460) > +++ fnrancid.in (working copy) > @@ -228,9 +228,9 @@ > next; > } > # filter cycling password encryption > - if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i && > + if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i && > ($filter_osc || $filter_pwds > 0)) { > - ProcessHistory("ENC","","","#$1 ENC $3\n"); > + ProcessHistory("ENC","","","#$1 ENC $4\n"); > next; > } > ProcessHistory("","","","$_"); > From erikm at buh.org Mon Dec 12 00:42:22 2016 From: erikm at buh.org (Erik Muller) Date: Sun, 11 Dec 2016 19:42:22 -0500 Subject: [rancid] juniper dynamic-vpn license filtering Message-ID: I've recently started monitoring a few branch SRXes that are serving as backup out-of-band access to production sites, and the license usage change every time somebody (dis)connects gets to be a bit much. The attached patch tweaks the existing license filtering to ignore changes in usage on small pools. The 100 threshold is kind of arbitrary; 500 might be a more reasonable number for where the percentage summary starts to be useful and 4000 looks to be where the large-scale subscriber licenses start - but this at least reduces the noise at the low end. Or should this maybe just follow the filter_osc model? tested on 3.3.0(ubuntu), but the patch seems clean against 3.6 still. -e -------------- next part -------------- --- junos.pm.orig 2016-12-11 15:38:54.564455375 -0500 +++ junos.pm 2016-12-11 15:39:42.404544746 -0500 @@ -456,20 +456,26 @@ next if (/^\{(master|backup)(:\d+)?\}/); # licenses used changes constantly. distill it to a percentage. - if (/^(\s+scale-subscriber)(\s+)(\d+)(\s+\d+)(.*$)/) { + if (/^(\s+(?:dynamic-vpn|scale-subscriber))(\s+)(\d+)(\s+\d+)(.*$)/) { my($a, $sp, $used, $avail, $rem) = ($1, $2, $3, $4, $5); my($spl, $usedl) = (length($sp), length($used)); my($pcnt); + my($usage); if ($avail < 1) { $pcnt = ">100"; + } elsif ($avail < 100) { + # if license count is small, percentage doesn't do much to + # stabilize the output - just skip it. + $usage = "--"; } else { $pcnt = int(($used + 0.0) / ($avail + 0.0) * 100); } - my($pcntl) = length($pcnt) + 1; + if (defined $pcnt) { $usage = sprintf("%s%%",$pcnt) }; + my($pcntl) = length($usage) ; $spl = $spl + $usedl - $pcntl; - my($fmt) = "%s%-" . $spl . "s%s%%%s%s\n"; - $_ = sprintf($fmt, $a, "", $pcnt, $avail, $rem); + my($fmt) = "%s%-" . $spl . "s%s%s%s\n"; + $_ = sprintf($fmt, $a, "", $usage, $avail, $rem); } /Unrecognized command/ && return(1); From aleromex at gmail.com Mon Dec 12 09:01:24 2016 From: aleromex at gmail.com (Alexander R) Date: Mon, 12 Dec 2016 12:01:24 +0300 Subject: [rancid] IBM BNT Layer 2/3 Copper Gigabit Ethernet Switch no config collected Message-ID: Hi, my configuration: centos 7 x86_64 i've issue in rancid 3.5.1 and 3.6.0 i've issue to collect configs from switch modules "BNT Layer 2/3 Copper Gigabit Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH image1))", it has IP 192.168.1.11 It's cisco-like CLI, so i've created my own "ibm" type in rancid.types.conf: # cat /etc/rancid/rancid.types.conf ibm;script;rancid -t ibm ibm;login;clogin ibm;module;ios ibm;inloop;ios::inloop ibm;command;ios::WriteTerm;show running-config It's working fine with other switch module "IBM Networking OS Virtual Fabric 10Gb Switch Module for IBM BladeCenter (7.8.3 (FLASH image1))" and it have IP 192.168.1.12, but not with "BNT Layer 2/3 Copper Gigabit Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH image1))" Fail device: # rancid -t ibm -d 192.168.1.11 loadtype: device type ibm loadtype: found device type ibm in /etc/rancid/rancid.types.conf executing clogin -t 90 -c"show running-config" 192.168.1.11 PROMPT MATCH: sw11# HIT COMMAND:sw11#show running-config In WriteTerm: sw11#show running-config 192.168.1.11: End of run not found end In 192.168.1.11.raw i see config issued by "show run..." Ok device: # rancid -t ibm -d 192.168.1.12 loadtype: device type ibm loadtype: found device type ibm in /etc/rancid/rancid.types.conf executing clogin -t 90 -c"show running-config" 192.168.1.12 PROMPT MATCH: sw12# HIT COMMAND:sw12#show running-config In WriteTerm: sw12#show running-config 192.168.1.12: End of run not found end ps. 192.168.1.11 has NO words "exit" in config, because interface isn't configured (such a configuration plan). 192.168.1.12 has words "exit", because interfaces is configured. Could you help me? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewm659 at yahoo.com Mon Dec 12 17:13:39 2016 From: andrewm659 at yahoo.com (Andrew Meyer) Date: Mon, 12 Dec 2016 17:13:39 +0000 (UTC) Subject: [rancid] Nortel Baystack 5000 series switch References: <24017693.1249660.1481562819784.ref@mail.yahoo.com> Message-ID: <24017693.1249660.1481562819784@mail.yahoo.com> Trying to look for ways to get this working with RANCID. ?Do I need to use baynet? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Dec 12 21:19:51 2016 From: heas at shrubbery.net (heasley) Date: Mon, 12 Dec 2016 21:19:51 +0000 Subject: [rancid] IBM BNT Layer 2/3 Copper Gigabit Ethernet Switch no config collected In-Reply-To: References: Message-ID: <20161212211951.GE57590@shrubbery.net> Mon, Dec 12, 2016 at 12:01:24PM +0300, Alexander R: > my configuration: > centos 7 x86_64 > i've issue in rancid 3.5.1 and 3.6.0 thank you for including this. > i've issue to collect configs from switch modules "BNT Layer 2/3 Copper > Gigabit Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH image1))", > it has IP 192.168.1.11 > > It's cisco-like CLI, so i've created my own "ibm" type in rancid.types.conf: > > # cat /etc/rancid/rancid.types.conf > ibm;script;rancid -t ibm > ibm;login;clogin > ibm;module;ios > ibm;inloop;ios::inloop > ibm;command;ios::WriteTerm;show running-config > > It's working fine with other switch module "IBM Networking OS Virtual > Fabric 10Gb Switch Module for IBM BladeCenter (7.8.3 (FLASH image1))" and > it have IP 192.168.1.12, but not with "BNT Layer 2/3 Copper Gigabit > Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH image1))" > > Fail device: > # rancid -t ibm -d 192.168.1.11 > loadtype: device type ibm > loadtype: found device type ibm in /etc/rancid/rancid.types.conf > executing clogin -t 90 -c"show running-config" 192.168.1.11 > PROMPT MATCH: sw11# > HIT COMMAND:sw11#show running-config > In WriteTerm: sw11#show running-config > 192.168.1.11: End of run not found > end > > In 192.168.1.11.raw i see config issued by "show run..." > > Ok device: > # rancid -t ibm -d 192.168.1.12 > loadtype: device type ibm > loadtype: found device type ibm in /etc/rancid/rancid.types.conf > executing clogin -t 90 -c"show running-config" 192.168.1.12 > PROMPT MATCH: sw12# > HIT COMMAND:sw12#show running-config > In WriteTerm: sw12#show running-config > 192.168.1.12: End of run not found > end > > ps. 192.168.1.11 has NO words "exit" in config, because interface isn't > configured (such a configuration plan). > 192.168.1.12 has words "exit", because interfaces is configured. > > Could you help me? ios::WriteTerM() will expect to find and "end" marker in the config, without which it will not set $found_end. if this device does not have this marker or something similar that a customer version of ios::WriteTerm could use, you can use a custom version of ios::WriteTerm that just counts lines, which ios::WriteTerm already does if the input is an ASA (or a few others), which lack an end marker. the purpose of this is that some devices behave poorly in low memory conditions, eg: memory leaks. some appear to succeed to produce a config, but output nothing. requiring the marker prevents rancid from dropping the config from the repo. From heas at shrubbery.net Mon Dec 12 21:23:26 2016 From: heas at shrubbery.net (heasley) Date: Mon, 12 Dec 2016 21:23:26 +0000 Subject: [rancid] Nortel Baystack 5000 series switch In-Reply-To: <24017693.1249660.1481562819784@mail.yahoo.com> References: <24017693.1249660.1481562819784.ref@mail.yahoo.com> <24017693.1249660.1481562819784@mail.yahoo.com> Message-ID: <20161212212326.GF57590@shrubbery.net> Mon, Dec 12, 2016 at 05:13:39PM +0000, Andrew Meyer: > Trying to look for ways to get this working with RANCID. ?Do I need to use baynet? No idea. Try it. if its an oem, try the oem type if there is one. From aleromex at gmail.com Tue Dec 13 07:30:08 2016 From: aleromex at gmail.com (Alexander R) Date: Tue, 13 Dec 2016 10:30:08 +0300 Subject: [rancid] IBM BNT Layer 2/3 Copper Gigabit Ethernet Switch no config collected In-Reply-To: <20161212211951.GE57590@shrubbery.net> References: <20161212211951.GE57590@shrubbery.net> Message-ID: On Tue, Dec 13, 2016 at 12:19 AM, heasley wrote: > Mon, Dec 12, 2016 at 12:01:24PM +0300, Alexander R: > > my configuration: > > centos 7 x86_64 > > i've issue in rancid 3.5.1 and 3.6.0 > > thank you for including this. > > > i've issue to collect configs from switch modules "BNT Layer 2/3 Copper > > Gigabit Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH > image1))", > > it has IP 192.168.1.11 > > > > It's cisco-like CLI, so i've created my own "ibm" type in > rancid.types.conf: > > > > # cat /etc/rancid/rancid.types.conf > > ibm;script;rancid -t ibm > > ibm;login;clogin > > ibm;module;ios > > ibm;inloop;ios::inloop > > ibm;command;ios::WriteTerm;show running-config > > > > It's working fine with other switch module "IBM Networking OS Virtual > > Fabric 10Gb Switch Module for IBM BladeCenter (7.8.3 (FLASH image1))" and > > it have IP 192.168.1.12, but not with "BNT Layer 2/3 Copper Gigabit > > Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH image1))" > > > > Fail device: > > # rancid -t ibm -d 192.168.1.11 > > loadtype: device type ibm > > loadtype: found device type ibm in /etc/rancid/rancid.types.conf > > executing clogin -t 90 -c"show running-config" 192.168.1.11 > > PROMPT MATCH: sw11# > > HIT COMMAND:sw11#show running-config > > In WriteTerm: sw11#show running-config > > 192.168.1.11: End of run not found > > end > > > > In 192.168.1.11.raw i see config issued by "show run..." > > > > Ok device: > > # rancid -t ibm -d 192.168.1.12 > > loadtype: device type ibm > > loadtype: found device type ibm in /etc/rancid/rancid.types.conf > > executing clogin -t 90 -c"show running-config" 192.168.1.12 > > PROMPT MATCH: sw12# > > HIT COMMAND:sw12#show running-config > > In WriteTerm: sw12#show running-config > > 192.168.1.12: End of run not found > > end > > > > ps. 192.168.1.11 has NO words "exit" in config, because interface isn't > > configured (such a configuration plan). > > 192.168.1.12 has words "exit", because interfaces is configured. > > > > Could you help me? > > ios::WriteTerM() will expect to find and "end" marker in the config, > without > which it will not set $found_end. if this device does not have this marker > or something similar that a customer version of ios::WriteTerm could use, > you can use a custom version of ios::WriteTerm that just counts lines, > which > ios::WriteTerm already does if the input is an ASA (or a few others), which > lack an end marker. > Hi, thank you for responce. It's my configs Ok device: rancid]# tail -n5 192.168.1.12.raw ntp secondary-server 192.168.1.1 ! end sw12#exitReceived disconnect from 192.168.1.12: 11: Logged out. rancid]# Fail device: rancid]# tail -n5 192.168.1.11.raw ntp secondary-server 192.168.1.1 ! end sw11#exitReceived disconnect from 192.168.1.11: 11: Logged out. rancid]# So, both switches have "end" word at the end of file. Any ideas? I don't know why it's not worked on same "text" files > the purpose of this is that some devices behave poorly in low memory > conditions, eg: memory leaks. some appear to succeed to produce a config, > but output nothing. requiring the marker prevents rancid from dropping > the config from the repo. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewm659 at yahoo.com Tue Dec 13 14:02:34 2016 From: andrewm659 at yahoo.com (Andrew Meyer) Date: Tue, 13 Dec 2016 14:02:34 +0000 (UTC) Subject: [rancid] Nortel Baystack 5000 series switch In-Reply-To: <20161212212326.GF57590@shrubbery.net> References: <24017693.1249660.1481562819784.ref@mail.yahoo.com> <24017693.1249660.1481562819784@mail.yahoo.com> <20161212212326.GF57590@shrubbery.net> Message-ID: <2099552308.1828967.1481637754393@mail.yahoo.com> So I got it to work with the baynet config. ?However I get something about the enable password not working. ?Do I need to do a enableprompt? On Monday, December 12, 2016 3:23 PM, heasley wrote: Mon, Dec 12, 2016 at 05:13:39PM +0000, Andrew Meyer: > Trying to look for ways to get this working with RANCID. ?Do I need to use baynet? No idea.? Try it.? if its an oem, try the oem type if there is one. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewm659 at yahoo.com Tue Dec 13 14:19:35 2016 From: andrewm659 at yahoo.com (Andrew Meyer) Date: Tue, 13 Dec 2016 14:19:35 +0000 (UTC) Subject: [rancid] Nortel Baystack 5000 series switch In-Reply-To: <2099552308.1828967.1481637754393@mail.yahoo.com> References: <24017693.1249660.1481562819784.ref@mail.yahoo.com> <24017693.1249660.1481562819784@mail.yahoo.com> <20161212212326.GF57590@shrubbery.net> <2099552308.1828967.1481637754393@mail.yahoo.com> Message-ID: <1589361281.1829453.1481638775836@mail.yahoo.com> ? ? ? ? ? ? ? ? ? ? ? ? ?Incorrect PasswordError: Check your Enable passwd On Tuesday, December 13, 2016 8:02 AM, Andrew Meyer wrote: So I got it to work with the baynet config. ?However I get something about the enable password not working. ?Do I need to do a enableprompt? On Monday, December 12, 2016 3:23 PM, heasley wrote: Mon, Dec 12, 2016 at 05:13:39PM +0000, Andrew Meyer: > Trying to look for ways to get this working with RANCID. ?Do I need to use baynet? No idea.? Try it.? if its an oem, try the oem type if there is one. -------------- next part -------------- An HTML attachment was scrubbed... URL: From fra.nospam.nk at gmx.de Tue Dec 13 21:34:42 2016 From: fra.nospam.nk at gmx.de (Frank Fegert) Date: Tue, 13 Dec 2016 22:34:42 +0100 Subject: [rancid] Support for Dell EqualLogic PS-Series Storages in RANCID Message-ID: <20161213213442.GA22690@dyndns.org> Hello all, i'd like to propose to add support for Dell EqualLogic PS-Series storage arrays to RANCID. I've described the necessary extensions and changes here: http://www.bityard.org/blog/2016/12/13/dell_equallogic_ps-series_rancid and there is a Git branch containing the changes available here: https://github.com/frank-fegert/rancid/tree/equallogic Besides some minor changes to the build system and documentation, the only major additions are "bin/eqllogin(.in)" and "lib/equal- logic.pm(.in)". The extensions have been successfully tested against the following Dell EqualLogic PS-Series models: Dell EqualLogic PS-M4110 Dell EqualLogic PS-4210 Dell EqualLogic PS-6210 and have been in production use for over a month now. Can you please consider the provided extensions for inclusion in the next rancid release? Thanks & best regards, Frank Fegert From Muhammad_Shoaib at comcastspectacor.com Thu Dec 15 18:58:02 2016 From: Muhammad_Shoaib at comcastspectacor.com (Shoaib, Muhammad) Date: Thu, 15 Dec 2016 18:58:02 +0000 Subject: [rancid] config changes are repeating In-Reply-To: References: Message-ID: Hi, All of a sudden, I have notice that RANCID is keep reporting the same changes that were made yesterday. Seems like it is not registering that changes are reported yesterday and there aren't any new changes. This is happening only to one set of Group. Other groups reporting working fine and their changes reported by RANCID only once, as it usually does. Appreciate any hints or ideas how to troubleshoot and fix the problem. RANCID version 2.3.8 running on CentOS Linux Thank you, Muhammad From andrewm659 at yahoo.com Fri Dec 16 16:17:34 2016 From: andrewm659 at yahoo.com (Andrew Meyer) Date: Fri, 16 Dec 2016 16:17:34 +0000 (UTC) Subject: [rancid] Nortel Baystack 5510 References: <544603663.353982.1481905054974.ref@mail.yahoo.com> Message-ID: <544603663.353982.1481905054974@mail.yahoo.com> So after further investigation I have found that there are extra scripts I can download and run, however, the brancid script work with it. ?I am trying to figure out how to drop my rancid user into enable mode. ?But it doesn't reauthenticate. ?My question is, if I can't get it to reauth right now, if there a way to put in the .cloginrc file to not have an enable password? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Dec 16 17:23:48 2016 From: heas at shrubbery.net (heasley) Date: Fri, 16 Dec 2016 17:23:48 +0000 Subject: [rancid] Nortel Baystack 5510 In-Reply-To: <544603663.353982.1481905054974@mail.yahoo.com> References: <544603663.353982.1481905054974.ref@mail.yahoo.com> <544603663.353982.1481905054974@mail.yahoo.com> Message-ID: <20161216172348.GF96654@shrubbery.net> Fri, Dec 16, 2016 at 04:17:34PM +0000, Andrew Meyer: > So after further investigation I have found that there are extra scripts I can download and run, however, the brancid script work with it. ?I am trying to figure out how to drop my rancid user into enable mode. ?But it doesn't reauthenticate. ?My question is, if I can't get it to reauth right now, if there a way to put in the .cloginrc file to not have an enable password? "to not have an enable password"? you mean do not enable? see noenable in cloginrc(5). From heas at shrubbery.net Fri Dec 16 17:44:03 2016 From: heas at shrubbery.net (heasley) Date: Fri, 16 Dec 2016 17:44:03 +0000 Subject: [rancid] IBM BNT Layer 2/3 Copper Gigabit Ethernet Switch no config collected In-Reply-To: References: <20161212211951.GE57590@shrubbery.net> Message-ID: <20161216174403.GH96654@shrubbery.net> Tue, Dec 13, 2016 at 10:30:08AM +0300, Alexander R: > On Tue, Dec 13, 2016 at 12:19 AM, heasley wrote: > > > Mon, Dec 12, 2016 at 12:01:24PM +0300, Alexander R: > > > my configuration: > > > centos 7 x86_64 > > > i've issue in rancid 3.5.1 and 3.6.0 > > > > thank you for including this. > > > > > i've issue to collect configs from switch modules "BNT Layer 2/3 Copper > > > Gigabit Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH > > image1))", > > > it has IP 192.168.1.11 > > > > > > It's cisco-like CLI, so i've created my own "ibm" type in > > rancid.types.conf: > > > > > > # cat /etc/rancid/rancid.types.conf > > > ibm;script;rancid -t ibm > > > ibm;login;clogin > > > ibm;module;ios > > > ibm;inloop;ios::inloop > > > ibm;command;ios::WriteTerm;show running-config > > > > > > It's working fine with other switch module "IBM Networking OS Virtual > > > Fabric 10Gb Switch Module for IBM BladeCenter (7.8.3 (FLASH image1))" and > > > it have IP 192.168.1.12, but not with "BNT Layer 2/3 Copper Gigabit > > > Ethernet Switch Module for IBM BladeCenter (5.2.8 (FLASH image1))" > > > > > > Fail device: > > > # rancid -t ibm -d 192.168.1.11 > > > loadtype: device type ibm > > > loadtype: found device type ibm in /etc/rancid/rancid.types.conf > > > executing clogin -t 90 -c"show running-config" 192.168.1.11 > > > PROMPT MATCH: sw11# > > > HIT COMMAND:sw11#show running-config > > > In WriteTerm: sw11#show running-config > > > 192.168.1.11: End of run not found > > > end > > > > > > In 192.168.1.11.raw i see config issued by "show run..." > > > > > > Ok device: > > > # rancid -t ibm -d 192.168.1.12 > > > loadtype: device type ibm > > > loadtype: found device type ibm in /etc/rancid/rancid.types.conf > > > executing clogin -t 90 -c"show running-config" 192.168.1.12 > > > PROMPT MATCH: sw12# > > > HIT COMMAND:sw12#show running-config > > > In WriteTerm: sw12#show running-config > > > 192.168.1.12: End of run not found > > > end > > > > > > ps. 192.168.1.11 has NO words "exit" in config, because interface isn't > > > configured (such a configuration plan). > > > 192.168.1.12 has words "exit", because interfaces is configured. > > > > > > Could you help me? > > > > ios::WriteTerM() will expect to find and "end" marker in the config, > > without > > which it will not set $found_end. if this device does not have this marker > > or something similar that a customer version of ios::WriteTerm could use, > > you can use a custom version of ios::WriteTerm that just counts lines, > > which > > ios::WriteTerm already does if the input is an ASA (or a few others), which > > lack an end marker. > > > > Hi, > thank you for responce. > > It's my configs > > Ok device: > rancid]# tail -n5 192.168.1.12.raw > ntp secondary-server 192.168.1.1 > ! > end > > sw12#exitReceived disconnect from 192.168.1.12: 11: Logged out. > rancid]# > > Fail device: > rancid]# tail -n5 192.168.1.11.raw > ntp secondary-server 192.168.1.1 > ! > end > > sw11#exitReceived disconnect from 192.168.1.11: 11: Logged out. ^^ this is likely the problem; the lousy thing didnt echo the CR. inloop() expects the CR and set $clean_run. you'll have to adjust the match; the lousy exos does this too. > rancid]# > > So, both switches have "end" word at the end of file. Any ideas? I don't > know why it's not worked on same "text" files > > > > the purpose of this is that some devices behave poorly in low memory > > conditions, eg: memory leaks. some appear to succeed to produce a config, > > but output nothing. requiring the marker prevents rancid from dropping > > the config from the repo. > > From heas at shrubbery.net Fri Dec 16 20:08:37 2016 From: heas at shrubbery.net (heasley) Date: Fri, 16 Dec 2016 20:08:37 +0000 Subject: [rancid] Support for Dell EqualLogic PS-Series Storages in RANCID In-Reply-To: <20161213213442.GA22690@dyndns.org> References: <20161213213442.GA22690@dyndns.org> Message-ID: <20161216200837.GA1019@shrubbery.net> Tue, Dec 13, 2016 at 10:34:42PM +0100, Frank Fegert: > Hello all, > > i'd like to propose to add support for Dell EqualLogic PS-Series > storage arrays to RANCID. I've described the necessary extensions > and changes here: > http://www.bityard.org/blog/2016/12/13/dell_equallogic_ps-series_rancid > > and there is a Git branch containing the changes available here: > https://github.com/frank-fegert/rancid/tree/equallogic > > Besides some minor changes to the build system and documentation, > the only major additions are "bin/eqllogin(.in)" and "lib/equal- > logic.pm(.in)". > > The extensions have been successfully tested against the following > Dell EqualLogic PS-Series models: > Dell EqualLogic PS-M4110 > Dell EqualLogic PS-4210 > Dell EqualLogic PS-6210 > > and have been in production use for over a month now. > > Can you please consider the provided extensions for inclusion in > the next rancid release? Can anyone who has these devices test Frank's module? From heas at shrubbery.net Mon Dec 19 18:04:32 2016 From: heas at shrubbery.net (heasley) Date: Mon, 19 Dec 2016 18:04:32 +0000 Subject: [rancid] Rancid and Cisco Small Business SG500 In-Reply-To: <8739a2be3c47473bbe078c68c509c72f@THQ-MAIL01.timicogroup.local> References: <8739a2be3c47473bbe078c68c509c72f@THQ-MAIL01.timicogroup.local> Message-ID: <20161219180432.GC90301@shrubbery.net> Wed, Apr 13, 2016 at 09:44:49AM +0000, Richard Savage: > Hi All > > Im using rancid 2.3.8 and am backup up around 100 cisco small business switches SG300's and SG500's. Im using the type cisco-sb. > > When backing up the SG500's on every diff the following is coming up: > > Index: configs/rc-pr-sw1 > =================================================================== > - -- configs/rc-pr-sw1 (revision 1333) > @@ -16,12 +16,12 @@ > !---- ------------------------- ------------------------- > ! 1 24 OK > ! 2 23 OK > - ! 3 24 OK > + ! 3 22 OK > !Unit Up time > !---- --------------- > - ! 1 06,07:16:42 > - ! 2 06,07:16:46 > - ! 3 06,07:16:42 > + ! 1 06,13:16:41 > + ! 2 06,13:16:45 > + ! 3 06,13:16:41 > ! > ! Unit SW version Boot version HW version > !------------------- ------------------- ------------------- ------------------- > > Is there a way that rancid can ignore this so that we don't get a diff everytime rancid is run? I've imported a version of cisco-sb for rancid 4.0, but need a little more info to address this problem. Can you tell me from which command this output comes and show me the raw output? From xq1xq1xq1 at gmail.com Mon Dec 19 16:42:28 2016 From: xq1xq1xq1 at gmail.com (JP) Date: Mon, 19 Dec 2016 10:42:28 -0600 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch Message-ID: Setting up RANCID on CENTOS6 in .cloginrc I put this line: add password x.x.x.45 {xxxxxx!} {xxxxxx!} When I try and test my password configuration it fails: [rancid at tools rancid]$ /usr/libexec/rancid/clogin x.x.x.45 x.x.x.45 spawn telnet x.x.x.45 Trying x.x.x.45... Connected to x.x.x.45. Escape character is '^]'. User Access Verification Password: Password: Password: % Bad passwords Error: Check your passwd for x.x.x.45 My password works fine when I enter it manually. My password contains a " ! " character - could this be causing the problem? I removed the " ! " with the same results. I am sure it is something simple - guidance appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Dec 19 18:43:05 2016 From: heas at shrubbery.net (heasley) Date: Mon, 19 Dec 2016 18:43:05 +0000 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: References: Message-ID: <20161219184305.GJ90301@shrubbery.net> Mon, Dec 19, 2016 at 10:42:28AM -0600, JP: > Setting up RANCID on CENTOS6 > > in .cloginrc I put this line: > > add password x.x.x.45 {xxxxxx!} {xxxxxx!} > > > > When I try and test my password configuration it fails: > > [rancid at tools rancid]$ /usr/libexec/rancid/clogin x.x.x.45 > x.x.x.45 > spawn telnet x.x.x.45 > Trying x.x.x.45... > Connected to x.x.x.45. > Escape character is '^]'. > > > User Access Verification > > Password: > Password: > Password: > % Bad passwords > > > Error: Check your passwd for x.x.x.45 > > > My password works fine when I enter it manually. > > My password contains a " ! " character - could this be causing the problem? > > I removed the " ! " with the same results. > > I am sure it is something simple - guidance appreciated! add password glob {foo\!bar} From ler762 at gmail.com Mon Dec 19 19:09:20 2016 From: ler762 at gmail.com (Lee) Date: Mon, 19 Dec 2016 14:09:20 -0500 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: <20161219184305.GJ90301@shrubbery.net> References: <20161219184305.GJ90301@shrubbery.net> Message-ID: On 12/19/16, heasley wrote: > Mon, Dec 19, 2016 at 10:42:28AM -0600, JP: >> Setting up RANCID on CENTOS6 >> >> in .cloginrc I put this line: >> >> add password x.x.x.45 {xxxxxx!} {xxxxxx!} >> >> When I try and test my password configuration it fails: >> <.. snip ..> >> >> My password works fine when I enter it manually. >> >> My password contains a " ! " character - could this be causing the >> problem? > > add password glob {foo\!bar} Just out of curiosity - why would you need to escape the ! when it's inside {}s? I've got a ! in one of my passwords and add password devname {pass!word} works fine for ssh (I don't use telnet any more). Thanks, Lee From heas at shrubbery.net Mon Dec 19 23:24:41 2016 From: heas at shrubbery.net (John Heasley) Date: Mon, 19 Dec 2016 18:24:41 -0500 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: References: <20161219184305.GJ90301@shrubbery.net> Message-ID: <4F4DB345-A55B-48D9-A9A4-C0EC4B6556F5@shrubbery.net> Am 19.12.2016 um 14:09 schrieb Lee : > >> On 12/19/16, heasley wrote: >> Mon, Dec 19, 2016 at 10:42:28AM -0600, JP: >>> Setting up RANCID on CENTOS6 >>> >>> in .cloginrc I put this line: >>> >>> add password x.x.x.45 {xxxxxx!} {xxxxxx!} >>> >>> When I try and test my password configuration it fails: >>> > <.. snip ..> >>> >>> My password works fine when I enter it manually. >>> >>> My password contains a " ! " character - could this be causing the >>> problem? >> >> add password glob {foo\!bar} > > Just out of curiosity - why would you need to escape the ! when it's inside {}s? > > I've got a ! in one of my passwords and > add password devname {pass!word} > works fine for ssh (I don't use telnet any more). Maybe the escaping isnt necessary for !, but it shouldnt hurt. I think i put a list in the manpage. > > Thanks, > Lee From xq1xq1xq1 at gmail.com Mon Dec 19 23:21:03 2016 From: xq1xq1xq1 at gmail.com (JP) Date: Mon, 19 Dec 2016 23:21:03 +0000 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: <20161219184305.GJ90301@shrubbery.net> References: <20161219184305.GJ90301@shrubbery.net> Message-ID: Found the issue Default configuration in the sample cloginrc file was overriding my value - I should have caught that but was still learning how rancid operated. ? Relagated to use of telnet since would cost about 5k to get it on my Switch ? Looks like an awesome tool - will try to get juniper srx firewall backed up tomorrow ? On Mon, Dec 19, 2016 at 12:43 PM heasley wrote: > Mon, Dec 19, 2016 at 10:42:28AM -0600, JP: > > > Setting up RANCID on CENTOS6 > > > > > > in .cloginrc I put this line: > > > > > > add password x.x.x.45 {xxxxxx!} {xxxxxx!} > > > > > > > > > > > > When I try and test my password configuration it fails: > > > > > > [rancid at tools rancid]$ /usr/libexec/rancid/clogin x.x.x.45 > > > x.x.x.45 > > > spawn telnet x.x.x.45 > > > Trying x.x.x.45... > > > Connected to x.x.x.45. > > > Escape character is '^]'. > > > > > > > > > User Access Verification > > > > > > Password: > > > Password: > > > Password: > > > % Bad passwords > > > > > > > > > Error: Check your passwd for x.x.x.45 > > > > > > > > > My password works fine when I enter it manually. > > > > > > My password contains a " ! " character - could this be causing the > problem? > > > > > > I removed the " ! " with the same results. > > > > > > I am sure it is something simple - guidance appreciated! > > > > add password glob {foo\!bar} > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rancid at ale.cx Tue Dec 20 11:57:48 2016 From: rancid at ale.cx (Alex DEKKER) Date: Tue, 20 Dec 2016 11:57:48 +0000 Subject: [rancid] Rancid and Cisco Small Business SG500 In-Reply-To: <20161219180432.GC90301@shrubbery.net> References: <8739a2be3c47473bbe078c68c509c72f@THQ-MAIL01.timicogroup.local> <20161219180432.GC90301@shrubbery.net> Message-ID: On 2016-12-19 18:04, heasley wrote: > Wed, Apr 13, 2016 at 09:44:49AM +0000, Richard Savage: >> + ! 1 06,13:16:41 >> + ! 2 06,13:16:45 >> + ! 3 06,13:16:41 >> ! >> ! Unit SW version Boot version HW >> version >> !------------------- ------------------- ------------------- >> ------------------- >> >> Is there a way that rancid can ignore this so that we don't get a diff >> everytime rancid is run? > > I've imported a version of cisco-sb for rancid 4.0, but need a little > more > info to address this problem. Can you tell me from which command this > output comes and show me the raw output? show system: $ csblogin sg500x User Name:cisco Password:*********** SG500X#sho system System Description: SG500X-24P 24-Port Gigabit with 4-Port 10-Gigabit PoE Stackable Managed Switch System Up Time (days,hour:min:sec): 486,05:08:01 System Contact: System Name: SG500X System Location: SG500X System MAC Address: d4:d7:48:d3:8e:16 System Object ID: 1.3.6.1.4.1.9.6.1.85.24.2 Fans Status: OK Unit Temperature (Celsius) Status ------------------------ ------------------------ ------------------------ 1 39 OK SG500X#quit alexd From xq1xq1xq1 at gmail.com Tue Dec 20 14:09:02 2016 From: xq1xq1xq1 at gmail.com (JP) Date: Tue, 20 Dec 2016 08:09:02 -0600 Subject: [rancid] Trying to Backup Juniper SRX Firewall Message-ID: I have configured RANCID to backup my Cisco switches. using these commands: /usr/libexec/rancid/clogin -c 'write term' x.x.x.45 > 45.cfg /usr/libexec/rancid/clogin -c 'write term' x.x.x..41 > 41.cfg This works as designed I have a Juniper SRX-210 firewall that I want to backup. I am using this command to backup the config: /usr/libexec/rancid/clogin -c 'set cli screen-length 0;show configuration' x.x.x.200 > 200.cfg I think that the problem is that the prompt is not recognized and the commands are not executed after login: [rancid at tools rancid]$ /usr/libexec/rancid/clogin -c 'set cli screen-length 0;show configuration' x.x.x.200 x.x.x.200 spawn ssh -c 3des -x -l root x.x.x.200 This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. Password: --- JUNOS 12.1X46-D50.4 built 2016-04-17 11:15:31 UTC root at SRX210% Error: TIMEOUT reached The rancid logs for the firewall are empty Does anyone have any words of wisdom to resolve? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Dec 20 14:27:45 2016 From: heas at shrubbery.net (heasley) Date: Tue, 20 Dec 2016 14:27:45 +0000 Subject: [rancid] Trying to Backup Juniper SRX Firewall In-Reply-To: References: Message-ID: <20161220142745.GA18847@shrubbery.net> Tue, Dec 20, 2016 at 08:09:02AM -0600, JP: > I have configured RANCID to backup my Cisco switches. > > using these commands: > > /usr/libexec/rancid/clogin -c 'write term' x.x.x.45 > 45.cfg > /usr/libexec/rancid/clogin -c 'write term' x.x.x..41 > 41.cfg > > > This works as designed > > I have a Juniper SRX-210 firewall that I want to backup. > > I am using this command to backup the config: > > /usr/libexec/rancid/clogin -c 'set cli screen-length 0;show configuration' > x.x.x.200 > 200.cfg > > > I think that the problem is that the prompt is not recognized and the > commands are not executed after login: > > [rancid at tools rancid]$ /usr/libexec/rancid/clogin -c 'set cli screen-length > 0;show configuration' x.x.x.200 > x.x.x.200 > spawn ssh -c 3des -x -l root x.x.x.200 > > > > This system is for the use of authorized users only. > Individuals using this computer system without > authority, or in excess of their authority, are subject > to having all of their activities on this system > monitored and recorded by system personnel. In the > course of monitoring individuals improperly using this > system, or in the course of system maintenance, the > activities of authorized users may also be monitored. > Anyone using this system expressly consents to such > monitoring and is advised that if such monitoring > reveals possible evidence of criminal activity, system > personnel may provide the evidence of such monitoring > to law enforcement officials. > > > Password: > --- JUNOS 12.1X46-D50.4 built 2016-04-17 11:15:31 UTC > root at SRX210% > > Error: TIMEOUT reached > > > > The rancid logs for the firewall are empty > > Does anyone have any words of wisdom to resolve? dont use the root user for one. two, if its junos, configure it as a juniper, then the command will be jlogin. also see plogin. From heas at shrubbery.net Tue Dec 20 14:48:57 2016 From: heas at shrubbery.net (heasley) Date: Tue, 20 Dec 2016 14:48:57 +0000 Subject: [rancid] Rancid and Cisco Small Business SG500 In-Reply-To: <20161220144220.F131F273EE@sea.shrubbery.net> Message-ID: <20161220144857.GB18847@shrubbery.net> Tue, Dec 20, 2016 at 11:57:48AM +0000, Alex DEKKER: > On 2016-12-19 18:04, heasley wrote: > > Wed, Apr 13, 2016 at 09:44:49AM +0000, Richard Savage: > > >> + ! 1 06,13:16:41 > >> + ! 2 06,13:16:45 > >> + ! 3 06,13:16:41 > >> ! > >> ! Unit SW version Boot version HW > >> version > >> !------------------- ------------------- ------------------- > >> ------------------- > >> > >> Is there a way that rancid can ignore this so that we don't get a diff > >> everytime rancid is run? > > > > I've imported a version of cisco-sb for rancid 4.0, but need a little > > more > > info to address this problem. Can you tell me from which command this > > output comes and show me the raw output? > > show system: > > $ csblogin sg500x > > > > User Name:cisco > Password:*********** > > > SG500X#sho system > System Description: SG500X-24P 24-Port Gigabit > with 4-Port 10-Gigabit PoE Stackable Managed Switch > System Up Time (days,hour:min:sec): 486,05:08:01 > System Contact: > System Name: SG500X > System Location: SG500X > System MAC Address: d4:d7:48:d3:8e:16 > System Object ID: 1.3.6.1.4.1.9.6.1.85.24.2 > > Fans Status: OK > > > Unit Temperature (Celsius) Status > ------------------------ ------------------------ > ------------------------ > 1 39 OK > > > SG500X#quit Thats not the output that richard is complaining about, but the temperature (per card?) that you have supplied seems like it needs to be filtered. Does the following do it? Index: lib/iossb.pm.in =================================================================== --- lib/iossb.pm.in (revision 3568) +++ lib/iossb.pm.in (working copy) @@ -133,6 +133,17 @@ /system description:\s+(.*)$/i && ProcessHistory("COMMENTS","keysort","B0","! Chassis type: $1\n") && next; + # filter individual card temperature + if (/unit\stemperature/i) { + while (<$INPUT>) { + tr/\015//d; + return(0) if (/^$prompt/); + next if (/^(\s*|\s*$cmd\s*)$/); + next if (/^\s+\^$/); + + last if (/^\s*$/); + } + } } return(0); } and can you me a 'show version'? From jason at biel-tech.com Tue Dec 20 14:24:29 2016 From: jason at biel-tech.com (Jason Biel) Date: Tue, 20 Dec 2016 08:24:29 -0600 Subject: [rancid] Trying to Backup Juniper SRX Firewall In-Reply-To: References: Message-ID: SRX runs JUNOS so you want to use jlogin vice clogin On Tue, Dec 20, 2016 at 8:09 AM, JP wrote: > I have configured RANCID to backup my Cisco switches. > > using these commands: > > /usr/libexec/rancid/clogin -c 'write term' x.x.x.45 > 45.cfg > /usr/libexec/rancid/clogin -c 'write term' x.x.x..41 > 41.cfg > > > This works as designed > > I have a Juniper SRX-210 firewall that I want to backup. > > I am using this command to backup the config: > > /usr/libexec/rancid/clogin -c 'set cli screen-length 0;show configuration' > x.x.x.200 > 200.cfg > > > I think that the problem is that the prompt is not recognized and the > commands are not executed after login: > > [rancid at tools rancid]$ /usr/libexec/rancid/clogin -c 'set cli > screen-length 0;show configuration' x.x.x.200 > x.x.x.200 > spawn ssh -c 3des -x -l root x.x.x.200 > > > > This system is for the use of authorized users only. > Individuals using this computer system without > authority, or in excess of their authority, are subject > to having all of their activities on this system > monitored and recorded by system personnel. In the > course of monitoring individuals improperly using this > system, or in the course of system maintenance, the > activities of authorized users may also be monitored. > Anyone using this system expressly consents to such > monitoring and is advised that if such monitoring > reveals possible evidence of criminal activity, system > personnel may provide the evidence of such monitoring > to law enforcement officials. > > > Password: > --- JUNOS 12.1X46-D50.4 built 2016-04-17 11:15:31 UTC > root at SRX210% > > Error: TIMEOUT reached > > > > The rancid logs for the firewall are empty > > Does anyone have any words of wisdom to resolve? > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -- Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Dec 20 15:05:06 2016 From: heas at shrubbery.net (heasley) Date: Tue, 20 Dec 2016 15:05:06 +0000 Subject: [rancid] Rancid and Cisco Small Business SG500 In-Reply-To: <20161220144857.GB18847@shrubbery.net> References: <20161220144220.F131F273EE@sea.shrubbery.net> <20161220144857.GB18847@shrubbery.net> Message-ID: <20161220150506.GC18847@shrubbery.net> Tue, Dec 20, 2016 at 02:48:57PM +0000, heasley: > Thats not the output that richard is complaining about, but the temperature > (per card?) that you have supplied seems like it needs to be filtered. Does > the following do it? blech; that patch shouldnt be necessary. From ler762 at gmail.com Tue Dec 20 15:58:59 2016 From: ler762 at gmail.com (Lee) Date: Tue, 20 Dec 2016 10:58:59 -0500 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: <4F4DB345-A55B-48D9-A9A4-C0EC4B6556F5@shrubbery.net> References: <20161219184305.GJ90301@shrubbery.net> <4F4DB345-A55B-48D9-A9A4-C0EC4B6556F5@shrubbery.net> Message-ID: On 12/19/16, John Heasley wrote: > Am 19.12.2016 um 14:09 schrieb Lee : >> >>> On 12/19/16, heasley wrote: >>> Mon, Dec 19, 2016 at 10:42:28AM -0600, JP: >>>> Setting up RANCID on CENTOS6 >>>> >>>> in .cloginrc I put this line: >>>> >>>> add password x.x.x.45 {xxxxxx!} {xxxxxx!} >>>> >>>> When I try and test my password configuration it fails: >>>> >> <.. snip ..> >>>> >>>> My password works fine when I enter it manually. >>>> >>>> My password contains a " ! " character - could this be causing the >>>> problem? >>> >>> add password glob {foo\!bar} >> >> Just out of curiosity - why would you need to escape the ! when it's >> inside {}s? >> >> I've got a ! in one of my passwords and >> add password devname {pass!word} >> works fine for ssh (I don't use telnet any more). > > Maybe the escaping isnt necessary for !, but it shouldnt hurt. I think i put > a list in the manpage. man cloginrc only mentions space & left/right squiggly brackets Lee From heas at shrubbery.net Tue Dec 20 16:31:31 2016 From: heas at shrubbery.net (John Heasley) Date: Tue, 20 Dec 2016 16:31:31 +0000 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: References: <20161219184305.GJ90301@shrubbery.net> <4F4DB345-A55B-48D9-A9A4-C0EC4B6556F5@shrubbery.net> Message-ID: <20161220163131.GE18847@shrubbery.net> Tue, Dec 20, 2016 at 10:58:59AM -0500, Lee: > > Maybe the escaping isnt necessary for !, but it shouldnt hurt. I think i put > > a list in the manpage. > > man cloginrc only mentions space & left/right squiggly brackets it says "or special character" :) the interpretter reads the file as if it were a script and *login use the value in send and join. From ler762 at gmail.com Tue Dec 20 17:14:16 2016 From: ler762 at gmail.com (Lee) Date: Tue, 20 Dec 2016 12:14:16 -0500 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: <20161220163131.GE18847@shrubbery.net> References: <20161219184305.GJ90301@shrubbery.net> <4F4DB345-A55B-48D9-A9A4-C0EC4B6556F5@shrubbery.net> <20161220163131.GE18847@shrubbery.net> Message-ID: On 12/20/16, John Heasley wrote: > Tue, Dec 20, 2016 at 10:58:59AM -0500, Lee: >> > Maybe the escaping isnt necessary for !, but it shouldnt hurt. I think i >> > put >> > a list in the manpage. >> >> man cloginrc only mentions space & left/right squiggly brackets > > it says "or special character" :) the interpretter reads the file as if it > were a script and *login use the value in send and join. Are you going from memory or an actual man page? man cloginrc for rancid 3.6.1 has ... always enclose the values in braces. If a value includes a (left or right) brace or space character, it must be backslash-escaped ... which, at least to me, implies the only thing one has to worry about if the value is inside {} are those three characters. In any case, on a related note - how hard would it be to have something like the clogin -x option that treats the input file as straight text with no meta-chars? Using rancid for things like setting the banner, snmp community string, etc. is a pain. I'd much prefer not having to figure out what all had to be escaped. Thanks, Lee From ler762 at gmail.com Tue Dec 20 16:03:12 2016 From: ler762 at gmail.com (Lee) Date: Tue, 20 Dec 2016 11:03:12 -0500 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: References: <20161219184305.GJ90301@shrubbery.net> Message-ID: On 12/19/16, JP wrote: > Found the issue > > Default configuration in the sample cloginrc file was overriding my value Thanks for coming back with the answer. I thought it was a bit weird that it works for me & not you.. Lee From Brad.Shifflett at micromenders.com Tue Dec 20 18:20:00 2016 From: Brad.Shifflett at micromenders.com (Brad Shifflett) Date: Tue, 20 Dec 2016 18:20:00 +0000 Subject: [rancid] Hillstone firewalls support Message-ID: Anyone know if you can add hillstone firewalls to rancid? If so, how would this be set? Brad Shifflett --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com --------------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From xq1xq1xq1 at gmail.com Tue Dec 20 16:27:43 2016 From: xq1xq1xq1 at gmail.com (JP) Date: Tue, 20 Dec 2016 10:27:43 -0600 Subject: [rancid] Trying to Backup Juniper SRX Firewall In-Reply-To: <20161220142745.GA18847@shrubbery.net> References: <20161220142745.GA18847@shrubbery.net> Message-ID: Thanx for the guidance I created a new group and user: Set system login class NOC permissions view Set system login class NOC permissions view-configuration Set system login user rancid uid 2002 Set system login user rancid class NOC I then changed the password for this new user: edit groups global system login user rancid set authentication plain-text-password I then applied the new group: set apply-groups global Now it works as designed Thanx everyone! On Tue, Dec 20, 2016 at 8:27 AM, heasley wrote: > Tue, Dec 20, 2016 at 08:09:02AM -0600, JP: > > I have configured RANCID to backup my Cisco switches. > > > > using these commands: > > > > /usr/libexec/rancid/clogin -c 'write term' x.x.x.45 > 45.cfg > > /usr/libexec/rancid/clogin -c 'write term' x.x.x..41 > 41.cfg > > > > > > This works as designed > > > > I have a Juniper SRX-210 firewall that I want to backup. > > > > I am using this command to backup the config: > > > > /usr/libexec/rancid/clogin -c 'set cli screen-length 0;show > configuration' > > x.x.x.200 > 200.cfg > > > > > > I think that the problem is that the prompt is not recognized and the > > commands are not executed after login: > > > > [rancid at tools rancid]$ /usr/libexec/rancid/clogin -c 'set cli > screen-length > > 0;show configuration' x.x.x.200 > > x.x.x.200 > > spawn ssh -c 3des -x -l root x.x.x.200 > > > > > > > > This system is for the use of authorized users only. > > Individuals using this computer system without > > authority, or in excess of their authority, are subject > > to having all of their activities on this system > > monitored and recorded by system personnel. In the > > course of monitoring individuals improperly using this > > system, or in the course of system maintenance, the > > activities of authorized users may also be monitored. > > Anyone using this system expressly consents to such > > monitoring and is advised that if such monitoring > > reveals possible evidence of criminal activity, system > > personnel may provide the evidence of such monitoring > > to law enforcement officials. > > > > > > Password: > > --- JUNOS 12.1X46-D50.4 built 2016-04-17 11:15:31 UTC > > root at SRX210% > > > > Error: TIMEOUT reached > > > > > > > > The rancid logs for the firewall are empty > > > > Does anyone have any words of wisdom to resolve? > > dont use the root user for one. two, if its junos, configure it as a > juniper, then the command will be jlogin. also see plogin. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Dec 21 04:37:06 2016 From: heas at shrubbery.net (heasley) Date: Wed, 21 Dec 2016 04:37:06 +0000 Subject: [rancid] Hillstone firewalls support In-Reply-To: References: Message-ID: <20161221043706.GF27612@shrubbery.net> Tue, Dec 20, 2016 at 06:20:00PM +0000, Brad Shifflett: > Anyone know if you can add hillstone firewalls to rancid? If so, how would this be set? > they are not supported, but see Q2 of section 4 of the rancid FAQ. From heas at shrubbery.net Wed Dec 21 04:49:03 2016 From: heas at shrubbery.net (heasley) Date: Wed, 21 Dec 2016 04:49:03 +0000 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: References: <20161219184305.GJ90301@shrubbery.net>

Message-ID: <20161221044903.GH27612@shrubbery.net> Tue, Dec 20, 2016 at 11:03:12AM -0500, Lee: > On 12/19/16, JP wrote: > > Found the issue > > > > Default configuration in the sample cloginrc file was overriding my value clogin -[mM] devicename is rather useful for finding such things. > Thanks for coming back with the answer. I thought it was a bit weird > that it works for me & not you.. > > Lee > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss From heas at shrubbery.net Wed Dec 21 05:08:58 2016 From: heas at shrubbery.net (John Heasley) Date: Wed, 21 Dec 2016 05:08:58 +0000 Subject: [rancid] RANCID - Password Error using Telnet on Cisco Switch In-Reply-To: References: <20161219184305.GJ90301@shrubbery.net> <4F4DB345-A55B-48D9-A9A4-C0EC4B6556F5@shrubbery.net> <20161220163131.GE18847@shrubbery.net> Message-ID: <20161221050858.GI27612@shrubbery.net> Tue, Dec 20, 2016 at 12:14:16PM -0500, Lee: > In any case, on a related note - how hard would it be to have > something like the clogin -x option that treats the input file as > straight text with no meta-chars? Using rancid for things like > setting the banner, snmp community string, etc. is a pain. I'd much > prefer not having to figure out what all had to be escaped. another user asked about this; there was a catch with doing this that I am now struggling to remember and when that user did not reply I dropped it. ISTR it was just not wanting to alter -x, rather use a different option. grumble; I'll have to look at it again. From mischa.diehm at unibas.ch Wed Dec 21 17:50:11 2016 From: mischa.diehm at unibas.ch (Mischa Diehm) Date: Wed, 21 Dec 2016 17:50:11 +0000 Subject: [rancid] rancid extension to pass commit message Message-ID: Hi, First of all thanks for this great and useful software. We use it extensively and are very happy with it! History for the diff: Since some time we use elasticsearch and logstash for our central NOC log management system. To detect changes on our devices (firewalls, routers, switches ?) we check for specific log lines and trigger a rancid-run from there. Usually we see in the logline who has made the change. To have this visible in our commit message and our mails received from rancid I have extended rancid-run and control_rancid to be able to pass a commit message like: # rancid-run -c "$msg? (diff attached) What do you think is this sth. useful and worth adding? Cheers Mischa -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: control_rancid-3.6.1.diff Type: application/octet-stream Size: 2132 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-run-3.6.1.diff Type: application/octet-stream Size: 739 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2202 bytes Desc: not available URL: From heas at shrubbery.net Thu Dec 22 18:23:53 2016 From: heas at shrubbery.net (heasley) Date: Thu, 22 Dec 2016 18:23:53 +0000 Subject: [rancid] rancid extension to pass commit message In-Reply-To: References: Message-ID: <20161222182353.GC90071@shrubbery.net> Wed, Dec 21, 2016 at 05:50:11PM +0000, Mischa Diehm: > Hi, > > First of all thanks for this great and useful software. We use it > extensively and are very happy with it! > > History for the diff: Since some time we use elasticsearch and logstash for > our central NOC log management system. To detect changes on our devices > (firewalls, routers, switches ?) we check for specific log lines and trigger > a rancid-run from there. Usually we see in the logline who has made the > change. To have this visible in our commit message and our mails received > from rancid I have extended rancid-run and control_rancid to be able to pass > a commit message like: > > # rancid-run -c "$msg? > (diff attached) > > What do you think is this sth. useful and worth adding? Yes, the idea seems fine to me. I'll add it for rancid 4.0. From nicotine at warningg.com Thu Dec 22 21:49:22 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 22 Dec 2016 15:49:22 -0600 Subject: [rancid] rancid extension to pass commit message In-Reply-To: <20161222182353.GC90071@shrubbery.net> References: <20161222182353.GC90071@shrubbery.net> Message-ID: <20161222214922.GA12582@radiological.warningg.com> On Thu, Dec 22, 2016 at 06:23:53PM +0000, heasley wrote: > > Yes, the idea seems fine to me. I'll add it for rancid 4.0. > An option to set the author would make git blame more fun -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From heas at shrubbery.net Fri Dec 23 02:59:42 2016 From: heas at shrubbery.net (heasley) Date: Fri, 23 Dec 2016 02:59:42 +0000 Subject: [rancid] rancid extension to pass commit message In-Reply-To: <20161222214922.GA12582@radiological.warningg.com> References: <20161222182353.GC90071@shrubbery.net> <20161222214922.GA12582@radiological.warningg.com> Message-ID: <20161223025942.GA14941@shrubbery.net> Thu, Dec 22, 2016 at 03:49:22PM -0600, Brandon Ewing: > On Thu, Dec 22, 2016 at 06:23:53PM +0000, heasley wrote: > > > > Yes, the idea seems fine to me. I'll add it for rancid 4.0. > > > > An option to set the author would make git blame more fun the author, of the commit, should be the rancid user :) and, rancid-cvs sets: git config user.name RANCiD git config user.email $USER$MAILDOMAIN From mischa.diehm at unibas.ch Fri Dec 23 09:29:52 2016 From: mischa.diehm at unibas.ch (Mischa Diehm) Date: Fri, 23 Dec 2016 09:29:52 +0000 Subject: [rancid] rancid extension to pass commit message In-Reply-To: <20161223025942.GA14941@shrubbery.net> References: <20161222182353.GC90071@shrubbery.net> <20161222214922.GA12582@radiological.warningg.com> <20161223025942.GA14941@shrubbery.net> Message-ID: Thu, Dec 22, 2016 at 03:49:22PM -0600, Brandon Ewing: On Thu, Dec 22, 2016 at 06:23:53PM +0000, heasley wrote: > > Yes, the idea seems fine to me. I'll add it for rancid 4.0. > An option to set the author would make git blame more fun the author, of the commit, should be the rancid user :) and, rancid-cvs sets: git config user.name RANCiD git config user.email $USER$MAILDOMAIN yes I was thinking about this too but in our case we detect change by users not being valid svn/git users. So we just write the username inside the commit message and leave the repository to a single user: rancid. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicotine at warningg.com Fri Dec 23 21:39:35 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Fri, 23 Dec 2016 15:39:35 -0600 Subject: [rancid] snmp-server host on nx-os Message-ID: <20161223213935.GB12582@radiological.warningg.com> Looks like the snmp-server host stuff got missed when nxos.pm got created. One can still set an SNMP string in a snmp-server host trap statement, so we should probably match and filter if filterstr is set. Patch (cut 'n pasted from ios.pm) attached. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- --- lib/nxos.pm.in.orig 2016-12-23 15:14:26.035813372 -0600 +++ lib/nxos.pm.in 2016-12-23 15:16:06.626807943 -0600 @@ -847,6 +847,34 @@ } } } + if (/^snmp-server host (\d+\.\d+\.\d+\.\d+) /) { + if ($filter_commstr) { + my($ip) = $1; + my($line) = "snmp-server host $ip"; + my(@tokens) = split(' ', $'); + my($token); + while ($token = shift(@tokens)) { + if ($token eq 'version') { + $line .= " " . join(' ', ($token, shift(@tokens))); + if ($token eq '3') { + $line .= " " . join(' ', ($token, shift(@tokens))); + } + } elsif ($token eq 'vrf') { + $line .= " " . join(' ', ($token, shift(@tokens))); + } elsif ($token =~ /^(informs?|traps?|(no)?auth)$/) { + $line .= " " . $token; + } else { + $line = "!$line " . join(' ', ("", + join(' ', at tokens))); + last; + } + } + ProcessHistory("SNMPSERVERHOST","ipsort","$ip","$line\n"); + } else { + ProcessHistory("SNMPSERVERHOST","ipsort","$1","$_"); + } + next; + } # Why was this commented out? It shows up in the raw text... if (/^(snmp-server community) (\S+)/) { -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From weylin at bu.edu Thu Dec 29 03:08:32 2016 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Thu, 29 Dec 2016 03:08:32 +0000 Subject: [rancid] Nexus 9k Login Crypto Message-ID: <0A59B51D-EDC0-4395-816A-B8B803E3A948@bu.edu> Regarding type ?cisco-nx?, is there a need to take into account the Nexus 9000 crypto support? See here: http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html I found that my default setting yielded: [rancid at localhost ~]$ clogin Nexus-9k Nexus-9k spawn telnet Nexus-9k Trying 10.123.12.241... telnet: connect to address 10.123.12.241: Connection refused spawn ssh -c 3des -x -l rancid Nexus-9k no matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr Error: Couldn't login: Nexus-9k [rancid at localhost ~]$ However, if I added the line to my .cloginrc: add cyphertype Nexus-9k {aes128-ctr,aes192-ctr,aes256-ctr} Then everything worked fine (I?ll spare everyone the output). I?m not clear this is a rancid issue, or a local system issue. Is it something at least worth noting? weylin -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Dec 29 17:53:31 2016 From: heas at shrubbery.net (heasley) Date: Thu, 29 Dec 2016 17:53:31 +0000 Subject: [rancid] Nexus 9k Login Crypto In-Reply-To: <0A59B51D-EDC0-4395-816A-B8B803E3A948@bu.edu> References: <0A59B51D-EDC0-4395-816A-B8B803E3A948@bu.edu> Message-ID: <20161229175331.GL79453@shrubbery.net> Thu, Dec 29, 2016 at 03:08:32AM +0000, Piegorsch, Weylin William: > Regarding type ?cisco-nx?, is there a need to take into account the Nexus 9000 crypto support? > > See here: > http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html > > I found that my default setting yielded: > > [rancid at localhost ~]$ clogin Nexus-9k > Nexus-9k > spawn telnet Nexus-9k > Trying 10.123.12.241... > telnet: connect to address 10.123.12.241: Connection refused > spawn ssh -c 3des -x -l rancid Nexus-9k > no matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr > > Error: Couldn't login: Nexus-9k > [rancid at localhost ~]$ > > However, if I added the line to my .cloginrc: > add cyphertype Nexus-9k {aes128-ctr,aes192-ctr,aes256-ctr} thats fine. > Then everything worked fine (I?ll spare everyone the output). > > I?m not clear this is a rancid issue, or a local system issue. Is it something at least worth noting? previous versions of rancid forced 3des, apparently including your version. just use the cyphertype or upgrade, and you may still need to specify cyphertype for the device. also see the FAQ. From weylin at bu.edu Thu Dec 29 03:25:49 2016 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Thu, 29 Dec 2016 03:25:49 +0000 Subject: [rancid] cisco-nx and debug: filesystem Message-ID: <4A6FC2FE-C069-48B6-B258-A2194F5F441F@bu.edu> Hello, I?ll put the details below, but basically: for the Nexus 9k, the debug: filesystem is constantly filling with information, and there?s no way to turn it off. I can manually alter my cisco-nx output (or create a special-purpose 9k variant) to remove the ?dir debug:? and do something about ?dir logflash:? output, but I?d prefer to avoid that if I can. What other options do I have, except ?live with it?? weylin I noticed every time rancid grabbed an archive of my Nexus 9k (specifically a 9372PX-E in NX-OS mode), I would get output similar to: Index: configs/Nexus-9k =================================================================== retrieving revision 1.6 diff -U 4 -r1.6 Nexus-9k @@ -140,26 +140,26 @@ !Flash: bootflash: 1736 MB used !Flash: bootflash: 47763 MB free !Flash: bootflash: 49500 MB total ! - !Flash: debug: 32782 Dec 27 14:29:15 2016 bootvar_debug.log - !Flash: debug: 5 Dec 27 14:29:15 2016 bootvar_debug.meta + !Flash: debug: 32971 Dec 28 02:29:12 2016 bootvar_debug.log + !Flash: debug: 5 Dec 28 02:29:12 2016 bootvar_debug.meta !Flash: debug: Usage for debug://sup-local !Flash: debug: 0 MB used !Flash: debug: 4 MB free !Flash: debug: 5 MB total ! !Flash: logflash: 4096 Aug 20 00:52:52 2016 ISSU_debug_logs/ !Flash: logflash: 4096 May 15 16:59:01 2016 core/ !Flash: logflash: 4096 Feb 20 15:08:00 2016 debug/ - !Flash: logflash: 2449408 Dec 28 02:01:06 2016 debug_logs/ + !Flash: logflash: 2449408 Dec 28 13:06:36 2016 debug_logs/ !Flash: logflash: 4096 Feb 20 15:08:00 2016 generic/ !Flash: logflash: 4096 log/ !Flash: logflash: 16384 Feb 20 15:07:57 2016 lost+found/ !Flash: logflash: 4096 Aug 29 23:21:18 2016 vdc_1/ !Flash: logflash: Usage for logflash://sup-local - !Flash: logflash: 660 MB used - !Flash: logflash: 7403 MB free + !Flash: logflash: 665 MB used + !Flash: logflash: 7398 MB free !Flash: logflash: 8063 MB total ! !Flash: volatile: 40 Aug 20 02:07:39 2016 virtual-instance/ !Flash: volatile: Usage for volatile://sup-local I opened a TAC case about, I?m copying the email thread here (with modifications to email to protect spam harvesters). From: "William Chong (wilchong)" Date: Wednesday, December 28, 2016 at 01:50 To: Weylin Piegorsch < weylin at bu dot edu > Cc: "attach at cisco.com" Subject: RE: SR 681520039 : Increasing Log Size Hi Weylin, This isn?t documented externally, however, these communications can be treated as official documentation if required. Let me know if you have any further questions. Thanks! William William Chong Customer Support Engineer Asia Pacific TAC - Sydney Cisco Systems Direct: +61 2 8446 7739 Aust: +61 2 1800 805 227 USA: +1 800 553 2447 Shift Schedule: Mon ? Fri 1200-1800 AEDT (+11GMT/UTC) Email: wilchong at cisco dot com Global TAC Contacts: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html From: Piegorsch, Weylin William [mailto: weylin at bu dot edu] Sent: Wednesday, 28 December 2016 5:29 PM To: William Chong (wilchong) < wilchong at cisco dot com > Cc: attach at cisco.com Subject: Re: SR 681520039 : Increasing Log Size Thanks William. Is this documented anywhere? weylin From: "William Chong (wilchong)" < wilchong at cisco dot com > Date: Tuesday, December 27, 2016 at 00:46 To: Weylin Piegorsch Cc: "attach at cisco.com" > Subject: SR 681520039 : Increasing Log Size Hi Weylin, This is William Chong from Cisco TAC ? LAN Switching Team and I have ownership of this case. It is my understanding that you are seeing an increase in file size of the debug logs on your Nexus 9k. Answers to your questions below: If this is expected behaviour: The switch will update the bootvar_debug.log file as part of its normal operation. This data is intended for Cisco engineering and TAC. What I would need to do to disable it Preventing these logs from updating is not an option as it is part of the switch?s normal operation. If I need to be worried about exhausting storage capacity. The debug directory will have a dedicated amount of flash storage for the file, as such, it will not have an impact on the other functions of the switch. You will not need to be worried about exhausting the capacity. Please let know if you have any further questions. Thanks! William William Chong Customer Support Engineer Asia Pacific TAC - Sydney Cisco Systems Direct: +61 2 8446 7739 Aust: +61 2 1800 805 227 USA: +1 800 553 2447 Shift Schedule: Mon ? Fri 1200-1800 AEDT (+11GMT/UTC) Email: wilchong at cisco dot com Global TAC Contacts: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sebastien.Boulianne at cpu.ca Sat Dec 31 23:52:17 2016 From: Sebastien.Boulianne at cpu.ca (Sebastien.Boulianne at cpu.ca) Date: Sat, 31 Dec 2016 18:52:17 -0500 Subject: [rancid] Backup Fortigate configuration including all vdoms. Message-ID: <5FE0959288C73D448BB44CB7E9CC320F5E2F6E79D0@CPUMAIL2.cpu.qc.ca> Hi, Most of our routers / FW are Fortigates. I would like take full config backup including all vdoms using Rancid. How can I do that ? I have 3 VDOMs on a FGT80C : Global, root, ROUTER How can I take those 3 vdoms in backup ? I have the global admin account for all those devices. I have the same problem with a FGT300B. Thanks you very much and merry Christmas + happy new year all! S?bastien. -------------- next part -------------- An HTML attachment was scrubbed... URL: