[rancid] Re: F5 load balancer support
Mike Ashcraft
mashcraft at omniture.com
Wed Aug 29 19:14:55 UTC 2007
Sam,
What version is on your old boxes? 4.x? I don't know how well f5rancid
will work on BIG-IP 4.x as I do not have it to test.
That said, along with all disclaimers of fitness for any purpose or any
liability for anything that might happen, I gave it a quick attempt.
Here is a diff for f5login that you can test. This tries to send the
TERM type from your environment and defaults to vt100 if it is not set.
It replaces a chunk of Cisco related code that is not needed.
418,421c418,424
< -re "Enter Selection: " {
< # Catalyst 1900s have some lame menu.
Enter
< # K to reach a command-line.
< send "K\r"
---
> -re "Terminal type\?" {
> # v4.x asks for term type
> if {[info exists env(TERM)]} {
> send "$env(TERM)\r"
> } else {
> send "vt100\r"
> }
If that does not work, adjust the regex to match the actual prompt and
hardcode vt100 if necessary. If that fails, send a screen capture of
the normal login process and the results of an f5login for comparison.
Mike
________________________________
From: Sam Munzani [mailto:sam at munzani.com]
Sent: Wednesday, August 29, 2007 11:50 AM
To: Mike Ashcraft
Cc: Lance; rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: F5 load balancer support
Team,
I am sorry to reopen this old thread but the question I have relates to
this old thread.
Attached 2 rancid login files work fine on newer F5 boxes. However on
old boxes, it prompts for "term type" at the ssh login. I need to insert
logic in the script to answer to this "term type" question. What's best
way to handle it?
Pass it as an argument like
f5login -t vt100 device-name
and then catch the variable and add necessary logic for the expect?
Thanks,
Sam
I have been on vacation for the last couple of weeks or I would
have posted this sooner and possibly saved some of you a bit of effort.
It sounds like Lance and Sam have put together a working
f5rancid with basic functionality which Sam posted last night. I have
attached my f5rancid which I have been running for a few months.
Installation instructions are included as comments in the file. This
version uses clogin so that a separate f5login script is not required.
This version formats and processes the output to make it more
usable. As far as what is captured, I based this on the F5 equivalent
of a tech out. It grabs a copy of all the configuration files, hardware
configuration and software version as well as the timestamps and file
sizes for SSL certs hosted on the device. This facilitates rebuilding
from scratch as quickly as possible if this is ever needed.
I was able to resolve the bug I mentioned yesterday by
increasing the clogin timeout. On a small number of devices it failed
to process the last few commands when running from cron but always
worked properly from the command line on all devices [making it
difficult to track down]. I mention this because it may be an
appropriate fix for other intermittent problems sometimes discussed on
this list.
Any feedback is appreciated. I hope to get f5 support added to
future releases of rancid.
Thanks,
Mike
________________________________
From: Sam Munzani [mailto:sam at munzani.com]
Sent: Monday, July 16, 2007 7:49 PM
To: Lance
Cc: Mike Ashcraft; rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: F5 load balancer support
Lance,
Thanks a lot for all your help. Pretty much you did all the work
while I watched what you are doing :-)..
Attached are cleaned up files. In f5rancid file, I have left
some basic functions(non platform specific) just in case we expand this
script to do a lot more than just "b list" output. In rancid-fe, we
defined a new device type "f5", f5login was copied from clogin and
remarked some "term length" statements we don't need on F5.
All 3 files are attached and working great. Please be aware, we
are not parsing anything at all. All its doing is basic function of
running "b list" command and capturing its output. As I expand more on
this, I will be sure to share with the audience here.
Again, thanks a lot for all your help today.
Regards,
Sam
I have helped Sam get a working f5rancid which requires
a f5login (only
because it doesn't recognize the prompt with a space and
exit, unless
you enter a return before the exit). He is cleaning up
all the unused
functions and will post it.
Once John H. sends out his script I will look at it and
see how it
differs from the one I did with Sam. I will even help
Sam get it working
for his setup. We will let you know when it is all
working.
-lance
-------- Original Message --------
Subject: [rancid] Re: F5 load balancer support
From: "Mike Ashcraft" <mashcraft at omniture.com>
<mailto:mashcraft at omniture.com>
Date: Mon, July 16, 2007 11:48 am
To: <sam at munzani.com> <mailto:sam at munzani.com>
Cc: rancid-discuss at shrubbery.net
Sam,
I have a working f5rancid that I have been using
for a number of months
now. I have one minor bug related to tracking
installed SSL certs
which you probably don't care about. Other than
that, it works great.
I did encounter and solve all the problems you
have been discussing on
the list.
Let me know if you are interested in trying what
I have. I have tested
it with Big-IP 9.1.2.
Mike
________________________________
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On
Behalf Of Sam Munzani
Sent: Monday, July 16, 2007 10:58 AM
To: smunzani at comcast.net
Cc: rancid-discuss at shrubbery.net
Subject: [rancid] Re: F5 load balancer support
BTW, this is what I see in the log when I do
rancid-run now. That means
the f5rancid file(hacked copy of rancid) is
still missing something.
more nfl.20070716.114842
starting: Mon Jul 16 11:48:42 CDT 2007
Trying to get all of the configs.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 1.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 2.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 3.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 4.
test-f5-01: End of run not found
-bash: write: command not found
cvs diff: Diffing .
cvs diff: Diffing configs
nfl.20070716.114842 71%starting: Mon Jul 16
11:48:42 CDT 2007
Trying to get all of the configs.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 1.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 2.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 3.
test-f5-01: End of run not found
-bash: write: command not found
=====================================
Getting missed routers: round 4.
test-f5-01: End of run not found
-bash: write: command not found
cvs diff: Diffing .
cvs diff: Diffing configs
cvs diff: cannot find configs/test-f5-01
cvs commit: Examining .
cvs commit: Examining configs
cvs commit: Up-to-date check failed for
`configs/test-f5-01'
cvs [commit aborted]: correct above errors
first!
ls: test-f5-01: No such file or directory
ending: Mon Jul 16 11:49:41 CDT 2007
Thanks,
Sam
David,
Thanks a lot for the tip. This worked
well. Now f5login goes
much more
cleaner and the "root" doesn't set sent
again. I still have
other issues
where rancid-run is backing up config
properly but I am still
troubleshooting it.
Now here is a question. What does
"bldshgalsjd" mean and how
does it do
this miracle?
Thanks,
Sam
Thanks for this tip, turns out
that this is also the
reason the
username gets entered at a
prompt on the cisco IPS
devices. Since it's
using SSH and therefore doesn't
need a username prompt,
solution was
to simply add in .cloginrc:
add userprompt ids* bldshgalsjd
(<- something that
won't get sent
during login)
Regards,
David
On 14/07/07, Lance
<rancid at gheek.net> <mailto:rancid at gheek.net>
<mailto:rancid at gheek.net>
<mailto:rancid at gheek.net> wrote:
Sam,
Have you tried using
telnet to login, if the f5
has it enabled.
You may also want to set
auto enable in your
.cloginrc for this device
as it looks to clogin as
you are already in a
cisco equivalent equal to
enable since your prompt
has a # sign in it.
Looking at your next
email along with this one
it looks like you are
already in a cisco
equivalent of enable after
you login. f5login seems
to be sending your
username of root as a command
after you get connected
because it sees this
line "Last login: Fri Jul
13 14:38:03 2007 from
172.24.100.12" and it
matches on the word
"Login". See below.
"(Username|Login|login|user name):"? yes
expect: set
expect_out(0,string) "login:"
expect: set
expect_out(1,string) "login"
expect: set
expect_out(spawn_id) "exp4"
expect: set
expect_out(buffer) " \r\nLast
login:"
send: sending "root\r"
to { exp4 }
expect: continuing
expect
You are just using a
Cisco login/parsing script
so it expects prompts
from a Cisco device and
in this case you have a
*nix SSH banner that
gets interrupted. I know
you can use RANCID to
backup *nix systems. So
it knows how to
understand connecting to a *nix
system. You might want
to try this email thread
which asks about
backing up Linux conifgs.
"http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
ml"
<http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
ml>
<http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
ml>
<http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
ml>
Or you could modify the
existing f5login like
so.
I think you have to use
the carrot before the ()
to work. I haven't
checked this as I am at
home and not on a UNIX
system right now. Sorry
to lazy to check it out
right now. You might
want to uncomment the line
below 3. and comment out
the line below 2. and
see if that works. This
is the only point in the
code that I see it look
for login in any line.
If that doesn't work
send me back the debug and
I will see what I can
do. I am sure some
people that use expect more
often then I can probably
quickly tell you what to
use as syntax there.
# Figure out prompts
set u_prompt [find
userprompt $router
if { "$u_prompt" == "" }
{
#1. ORIGINAL
#set u_prompt
"^(Username|Login|login|user name):"
#2. Modified to
read for a line beginning
with
Username,Login,login, or
user name.
set u_prompt
"^(Username|Login|login|user
name):"
#3. Modified to
read for a line beginning
with Login or login.
but I
may be wrong
#set u_prompt
"^(Username|^Login|^login|user name):"
} else {
set u_prompt
[join [lindex $u_prompt 0]
""]
Let me know if this
works for you.
-Lance
--------
Original Message --------
Subject: Re:
[rancid] F5 load balancer
support
From: Sam
Munzani <smunzani at comcast.net> <mailto:smunzani at comcast.net>
<mailto:smunzani at comcast.net>
<mailto:smunzani at comcast.net>
Date: Fri, July
13, 2007 2:30 pm
To: Lance
<rancid at gheek.net> <mailto:rancid at gheek.net>
<mailto:rancid at gheek.net>
<mailto:rancid at gheek.net>
Cc:
rancid-discuss at shrubbery.net
Lance,
F5 login works
fine with a minor error.
$ f5login
test-f5-01
test-f5-01
spawn ssh -c
3des -x -l root test-f5-01
Password:
Last login: Fri
Jul 13 14:26:28 2007
from 172.24.100.12
root
[root at test-f5-01:Active] config # root
-bash: root:
command not found
[root at test-f5-01:Active] config #
[root at test-f5-01:Active] config #
[root at test-f5-01:Active] config #
I don't know how
to debug otherwise I
would turn on debug too. If you
can provide some
hints on debug, I would
appreciate it.
Thanks,
Sam
What error(s) do
you get when you try to
run your f5rancid?
Where does it
fail if you debug your
f5login?
-lance
--------
Original Message --------
Subject:
[rancid] F5 load balancer
support
From: Sam
Munzani <smunzani at comcast.net> <mailto:smunzani at comcast.net>
<mailto:smunzani at comcast.net>
<mailto:smunzani at comcast.net>
Date: Fri, July
13, 2007 12:45 pm
To:
rancid-discuss at shrubbery.net
Hi,
Did anybody
happened to hack one of
Cisco scripts to support
BigIP F5
boxes? It should
be pretty simple. All I
want to do is login and
type "b
list" which is
equivalent of "show run"
on cisco.
However for some
reason things not
working. All I did was copied
clogin
to f5login,
copied rancid to f5rancid
and added following to
rancid-fe.
elsif ($vendor
=~ /^f5$/i)
{ exec('f5rancid',
$router); }
Then modified f5
rancid file and kept
only one command in list of
commands "b
list".
For some reason
its not working. I can
post my configs here if
somebody
like to see
them.
Thanks,
Sam
_______________________________________________
Rancid-discuss
mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing
list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss<hr>________
_______________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070829/7569d567/attachment.html
More information about the Rancid-discuss
mailing list