[rancid] Reverse RANCID

Alan McKinnon alan.mckinnon at gmail.com
Wed Feb 11 15:31:58 UTC 2015

On 11/02/2015 14:02, James Bensley wrote:
> Hi All,
> I am think about writing a web interface that uses RANCID in the
> background to make configuration changes on devices. Since RANCID has
> a bunch of scripts for various device types my thinking is a
> simple-ish web interface in which I can paste in some config and then
> use RANCID to log into the device and input the config, also though I
> can specify some commands and RANCID will run though them and capture
> output which can be passed to Bash/PERL/Python scripts to interogate
> the output and check that the BGP sessions have come back up or that
> the number of routes in a VRF is still the same etc.
> The goal is: Anything I do on the CLI when making changes to devices
> can be automated.
> I know I can push config using the RANCID CLI wrapper scripts but I'm
> wondering if anyone has done this before to extend RANCID to also run
> "show" style commands and interogated the output to make checks to
> valid the success of the change, and also if anyone has made a web
> interface already (other than the CVS types for RANCID's normal
> purpose of backing up rather than pushing config) ?

It doesn't make sense to extend rancid in this way.

Consider rancid's purpose: it logs in, captures the config, diffs it and
stores the result. Then tells you what the diff is.

None of that involves in any way changing the device in question and it
is highly recommended that you lock down the rancid user to only the
specific commands listed in @commands.

There is one part of rancid that enables you to do config changes
however: clogin

Rather do something like this:
Get the changes you want to make from the user, apply them using clogin
and then write a framework that will do the double-checking you
describe. Rancid itself has no code you can leverage to do any of that.
It's best done in an entirely separate system, with the added benefit
that rancid will come along in an hour and record the fact of a change made.

All this depends however on your Risk department being OK with the idea.
I know mine would shoot me at the very thought :-)

Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list