[rancid] Re: rancid use scenarios

Mordechai T. Abzug morty at frakir.org
Wed May 31 06:16:05 UTC 2006


On Tue, May 30, 2006 at 12:24:44PM -0700, Chris Moody wrote:

> At any rate, I'm needing some usage scenarios to help me sell the
> concept to a larger audience at my office.  We have another team
> that is responsible for several hundred nodes and has nothing like
> rancid in place.  I'm planning to get them using the service, but
> need more "weight" in selling the idea to them.

> What are some of the largest deployments of rancid (also anyone
> willing to give contact info to vouch for their numbers?)?  Anyone
> have experience in enterprise scale usage?  Any caveats?  Any tips?

We have 350+ nodes in rancid.  We have a number of smaller management
domains rather than one massive implementation; the largest domain has
125 rancid-monitored nodes.  rancid is relatively lightweight,
especially if you tune down the number of parallel gets, so we run it
as an extra process on existing NMS stations.  It also requires almost
no space, thanks to using CVS; from a resource consumption
perspective, it actually scales lots better than some commercial
equivalents.

If you are located in the US, regardless of your feelings, chances are
that you need rancid or something like it for legal compliance --
between SOX, FISMA, and HIPAA, most commercial and government entities
need lots of monitoring.  If you don't think you need it now, but you
are subject to any kind of auditing and haven't been audited yet, do
yourself a favor and implement it now.

Quite aside from legal issues, tools like rancid are great for lots of
real-life reasons.  They are good for:

* detecting surprise changes ("when did that change occur?  Sure would
  be nice to have an automated tool to tell us when someone makes a
  change in the middle of the night and forgets to send email");

* security monitoring of routers ("where did that permissive ACL come
  from?  Sure would be nice if a tool could tell us what changes
  occurred on routers, so if anything suspicious happens, we can know
  immediately instead of when it ends up in the media");

* exercising router flashes ("Whoops, the flash went bad but the
  device continued to function in-memory, so nobody noticed until a
  power outage.  Sure would be nice if we had a tool that periodically
  logged in to devices and ran a bunch of commands that demonstrate
  that it is working well");

* backing up configs ("Our last manual backup of the router config was
  5 years ago; we've upgraded it twice, and added lots of ACLs since
  then.  Wouldn't an automated way to get config backups make sense?")

If your people are against freeware, or want "Enterprise" features,
there are COTS tools that do more than rancid out of the box, or at
least satisfy management desire for a commercial provider.  Opsware
NAS is particularly studly; it will automatically go out when config
change events are reported via syslog, grab the latest update, and
tell you who did the change (if available).  It can get asset and
module information.  It can do "policy compliance."  It can integrate
with HP OV NNM and other products.  Of course, Opsware costs mucho
dinero and requires beefy hardware, while you can set up a reasonable
rancid setup using an old PC and no commercial software.

If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all
Juniper, etc.), your vendor may provide/sell you an element manager
(CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like
functionality.  Unfortunately, it will be specific to said vendor.  If
you are or might become heterogeneous, rancid or other vendor-neutral
package is a good call.

- Morty



More information about the Rancid-discuss mailing list