[rancid] config file postprocessing (was: post-install, now what?)
Ed Ravin
eravin at panix.com
Tue May 30 16:04:12 UTC 2006
On Tue, May 30, 2006 at 07:46:39AM -0700, john heasley wrote:
> Thu, May 25, 2006 at 11:59:19AM -0400, Ed Ravin:
> > On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote:
> > > For instance, in my old setup (pancho/snmp/tftp based) I had a copy of
> > > running config sitting in a tftp root, which made it easy to "copy
> > > tftp run" from a device to restore a config. How do you guys address
> > > this in rancid?
> >
> > We don't. RANCID post-processes the config in various ways that improve
> > change reporting but lose the original config. For starters, by default
> > all passwords get removed from the config so that they don't accidently
> > get emailed out, but there are more subtle transformations: sequence numbers
> > get removed, some things get sorted, etc.
>
> What is lost?
If passwords are left in the config, almost nothing. The biggest complaint
I recall seeing is below, from a post to rancid-discuss a year ago:
> I also have several ACL's that are optimized by packet hits given the
> large amount of traffic and RANCID sorts those as well. So these aren't
> necessarily functional problems so much as performance and audit issues. I
> suppose I can hack up the script to turn this off, but I'd imagine other
> people might possibly run into the same problem. Thanks,
My point was that even though functionality is the same, the config isn't.
And though the differences caused by RANCID's processing almost never
matter, sometimes, like in the case above, it does. If you have
an auditor looking over your shoulder asking if the router configs
are properly backed up (as the author of the quote above did), you're
put in the position of defending RANCID's changes to the config, as
the auditor is understandably going to ask why the alleged backups
in RANCID don't exactly match the config file on the router.
Another issue that might occur when using RANCID as your primary backup
to the router configuration - the RANCID files are much larger than
the original config file, due to all the helpful comments inserted
by RANCID showing things like the hardware status or directory listings.
Depending on the size of the NVRAM and your disaster recovery plan, you
might try to restore a router with a config that won't fit until you
trim down the comments.
-- Ed
More information about the Rancid-discuss
mailing list