[rancid] Rollback functionality and potential pitfalls

Ramon ramonbatwork at gmail.com
Wed Feb 13 17:33:50 UTC 2013

So far I have been able to to bypass the "$" expansion with sed, by adding
a "\" in front of every occurrence.

The question mark "?" is possible to be bypassed by using "Ctrl-V". However
I could not find a way for to add that control sequence (like we can do
with "\n" or "\r" ) to a script line nor make clogin inject that before an
instance of "?".

The banner login and motd I could only make it work with clogin if I use
just one line for the text immediately followed by the delimiter character.
Any newlines will make the clogin script hang, which I suspect is because
expect is waiting for some shell return string or character.

Since most banners are several lines, right now I am having to trim the
banner statements out completely to avoid the problem. Anyone could give me
some direction as to how I could make clogin play ball both with Ctrl-V and
with banner text newlines?


On Wed, Feb 13, 2013 at 10:20 AM, Ramon <ramonbatwork at gmail.com> wrote:

> shouldbe, thanks.... that is exactly what I was looking for. Characters
> "?" , "$" and "^C" all produce unwanted expansion. The "?" throws a WORD in
> the example you cite, breaking the config script. The "$" in a secret or
> password string breaks out the clogin process with because it tries to read
> it as a variable:
> can't read "1": no such variable
>     while executing
> "subst -nocommands [lindex $commands $i]"
>     (procedure "run_commands" line 26)
>     invoked from within
> "run_commands $prompt $command"
>     ("foreach" body line 186)
>     invoked from within
> "foreach router [lrange $argv $i end] {
>     set router [string tolower $router]
>     # attempt at platform switching.
>     set platform ""
>     send_user ..."
>     (file "/usr/local/rancid/bin/clogin" line 740)
> And the "^C" on the motd enters interactive mode and eventually times out:
> #banner login ^C
> Enter TEXT message.  End with the character '^'.
> Error: TIMEOUT reached
> I took the ASA out of the scope yesterday when I noticed what a mess that
> would be. So right now I am only trying to make this work for Cisco routers
> and switches (2911's and 2950's specifically). Router reload in completely
> out of question, and configure replace has proved to be risky at times
> (when the command is scripted you have to use force, and it has trimmed
> correct vlans and left old ones in place).
> I'm going to dig thru clogin code to see if I can come up with a
> workaround for the parsing problems mentioned above, any help appreciated!
> Ramon
> On Tue, Feb 12, 2013 at 5:49 PM, shouldbe q931 <shouldbeq931 at gmail.com>wrote:
>> On Tue, Feb 12, 2013 at 4:04 PM, Ramon <ramonbatwork at gmail.com> wrote:
>>> Hello all,
>>> I am currently looking in to a way to implement rollback functionality
>>> using rancid. What would it take to reverse bad changes and restore the
>>> config of a cisco device back to a previous saved version?
>>> I ask because just pushing the original config on top of the modified
>>> version would not remove or flush out certain statements, possibly leaving
>>> duplicates that would have to be removed manually.
>>> My first idea was to create a negative file, by generating a "no
>>> statement" for every line in the new config that does not match the old
>>> config. After pushing the negative file and removing the changes I would
>>> push the old config to restore any of the deleted statements.
>>> Feedback on any foreseeable issues such as possible hierarchical
>>> problems (interfaces, acls, bgp) would be very welcomed.
>>> Thanks,
>>> Ramon
>> A few problems that I thought of
>> If you're doing a "conf t" and then sending the updates, you need to be
>> able to parse and escape "special" characters, such as the ? in line three
>> below
>> 1 ip ddns update method dyn.he.net
>> 2  HTTP
>> 3   add
>> http://dynamicrouter.domain.com:hjo97864hhj06hA@ipv4.dyn.dns.he.net/nic/update?hostname=
>> <h>&myip=<a>
>> The thought of escaping characters lead me onto motd lines...
>> banner motd ^C
>> This is not the router you are looking for
>> ^C
>> And finally, the order of NAT rules on an ASA can be critical, this would
>> mean either removing all of them (affecting all traffic) and then adding
>> all of them, or being able to parse all of the NAT rule lines to add the
>> sequence to the rollback, such as
>>     no nat 14
>>     nat (inside,outside) 14 source static i-server i-server.domain.comservice tcp-in-https tcp-in-https
>> I'm sure there are lots of other similar cases
>> If you can cope with a reload, then would go with either a tftp boot, or
>> erase startup, tftp copy to startup and then reload.
>> As well as rancid, I also like to archive to a FTP server, so when TFTP
>> isn't an option (such as a remote site router, I can simply go
>>  erase start
>>  copy ftp://user:pass@host/path/file startup
>> And then reload
>> For a client that bought CSM, I manage their ASA firewalls with CSM,
>> after a particularly bad experience with the built in CSM rollback, I now
>> do the changes and deploy normally rather than a rollback deploy if changes
>> need to be "reverted".
>> Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20130213/89bcc413/attachment.html>

More information about the Rancid-discuss mailing list