[rancid] Rollback functionality and potential pitfalls

heasley heas at shrubbery.net
Wed Feb 13 21:43:30 UTC 2013 

Wed, Feb 13, 2013 at 12:33:50PM -0500, Ramon:
> So far I have been able to to bypass the "$" expansion with sed, by adding
> a "\" in front of every occurrence.
> 
> The question mark "?" is possible to be bypassed by using "Ctrl-V". However
> I could not find a way for to add that control sequence (like we can do
> with "\n" or "\r" ) to a script line nor make clogin inject that before an
> instance of "?".
> 
> The banner login and motd I could only make it work with clogin if I use
> just one line for the text immediately followed by the delimiter character.
> Any newlines will make the clogin script hang, which I suspect is because
> expect is waiting for some shell return string or character.
> 
> Since most banners are several lines, right now I am having to trim the
> banner statements out completely to avoid the problem. Anyone could give me
> some direction as to how I could make clogin play ball both with Ctrl-V and
> with banner text newlines?

use any char not in the banner.  eg: =

> Thanks,
> Ramon
> 
> 
> On Wed, Feb 13, 2013 at 10:20 AM, Ramon <ramonbatwork at gmail.com> wrote:
> 
> > shouldbe, thanks.... that is exactly what I was looking for. Characters
> > "?" , "$" and "^C" all produce unwanted expansion. The "?" throws a WORD in
> > the example you cite, breaking the config script. The "$" in a secret or
> > password string breaks out the clogin process with because it tries to read
> > it as a variable:
> >
> > can't read "1": no such variable
> >     while executing
> > "subst -nocommands [lindex $commands $i]"
> >     (procedure "run_commands" line 26)
> >     invoked from within
> > "run_commands $prompt $command"
> >     ("foreach" body line 186)
> >     invoked from within
> > "foreach router [lrange $argv $i end] {
> >     set router [string tolower $router]
> >     # attempt at platform switching.
> >     set platform ""
> >     send_user ..."
> >     (file "/usr/local/rancid/bin/clogin" line 740)
> >
> > And the "^C" on the motd enters interactive mode and eventually times out:
> >
> > #banner login ^C
> > Enter TEXT message.  End with the character '^'.
> >
> > Error: TIMEOUT reached
> >
> >
> > I took the ASA out of the scope yesterday when I noticed what a mess that
> > would be. So right now I am only trying to make this work for Cisco routers
> > and switches (2911's and 2950's specifically). Router reload in completely
> > out of question, and configure replace has proved to be risky at times
> > (when the command is scripted you have to use force, and it has trimmed
> > correct vlans and left old ones in place).
> >
> > I'm going to dig thru clogin code to see if I can come up with a
> > workaround for the parsing problems mentioned above, any help appreciated!
> >
> > Ramon
> >
> >
> >
> >
> >
> > On Tue, Feb 12, 2013 at 5:49 PM, shouldbe q931 <shouldbeq931 at gmail.com>wrote:
> >
> >>
> >>
> >>
> >> On Tue, Feb 12, 2013 at 4:04 PM, Ramon <ramonbatwork at gmail.com> wrote:
> >>
> >>> Hello all,
> >>>
> >>> I am currently looking in to a way to implement rollback functionality
> >>> using rancid. What would it take to reverse bad changes and restore the
> >>> config of a cisco device back to a previous saved version?
> >>>
> >>> I ask because just pushing the original config on top of the modified
> >>> version would not remove or flush out certain statements, possibly leaving
> >>> duplicates that would have to be removed manually.
> >>>
> >>> My first idea was to create a negative file, by generating a "no
> >>> statement" for every line in the new config that does not match the old
> >>> config. After pushing the negative file and removing the changes I would
> >>> push the old config to restore any of the deleted statements.
> >>>
> >>> Feedback on any foreseeable issues such as possible hierarchical
> >>> problems (interfaces, acls, bgp) would be very welcomed.
> >>>
> >>> Thanks,
> >>> Ramon
> >>>
> >>
> >> A few problems that I thought of
> >>
> >> If you're doing a "conf t" and then sending the updates, you need to be
> >> able to parse and escape "special" characters, such as the ? in line three
> >> below
> >>
> >> 1 ip ddns update method dyn.he.net
> >> 2  HTTP
> >> 3   add
> >> http://dynamicrouter.domain.com:hjo97864hhj06hA@ipv4.dyn.dns.he.net/nic/update?hostname=
> >> <h>&myip=<a>
> >>
> >> The thought of escaping characters lead me onto motd lines...
> >>
> >> banner motd ^C
> >> This is not the router you are looking for
> >> ^C
> >>
> >> And finally, the order of NAT rules on an ASA can be critical, this would
> >> mean either removing all of them (affecting all traffic) and then adding
> >> all of them, or being able to parse all of the NAT rule lines to add the
> >> sequence to the rollback, such as
> >>
> >>     no nat 14
> >>     nat (inside,outside) 14 source static i-server i-server.domain.comservice tcp-in-https tcp-in-https
> >>
> >> I'm sure there are lots of other similar cases
> >>
> >> If you can cope with a reload, then would go with either a tftp boot, or
> >> erase startup, tftp copy to startup and then reload.
> >>
> >> As well as rancid, I also like to archive to a FTP server, so when TFTP
> >> isn't an option (such as a remote site router, I can simply go
> >>
> >>  erase start
> >>  copy ftp://user:pass@host/path/file startup
> >>
> >> And then reload
> >>
> >> For a client that bought CSM, I manage their ASA firewalls with CSM,
> >> after a particularly bad experience with the built in CSM rollback, I now
> >> do the changes and deploy normally rather than a rollback deploy if changes
> >> need to be "reverted".
> >>
> >> Cheers
> >>
> >
> >

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list