[rancid] vyatta/vyos

rdrake rdrake at direcpath.com
Mon Jan 5 20:07:52 UTC 2015 

On 01/04/2015 09:28 PM, James Andrewartha wrote:
> On 28/12/14 10:30, Antonio Querubin wrote:
> I took a different approach for my VyOS (well, Ubiquiti EdgeOS)
> routers. I use the in-built configuration backup to copy the
> configuration to the rancid host: set system config-management
> commit-archive location
> 'scp://user:password@rancidhost:/var/lib/rancid/ccgs/configs/vyoshost.domain.name'
> I also made a few changes to /opt/vyatta/sbin/vyatta-commit-push.pl,
> changing it to use the commands form of configuration (note also the
> change from showCfg to showConfig): 
I would advise against this depending on the size and scope of your
network.  The primary issue with pushing the configuration is that if
any of your routers are compromised then someone has a username and
password, as well as the name of your configuration server, so they have
full access to hop to it and further compromise other hosts.

A better choice for most UNIX based routers if you're skipping rancid is
to use ssh host keys to allow the configuration server access without
passwords, then pull the file at scheduled times and manage it with a
change control.  (Rancid still helps here by normalizing lines, like
sorting access-lists or removing timestamps if needed.. but if the file
is pretty static you might be able to commit it without changing anything)

> my $cmd = 'cli-shell-api showConfig --show-active-only --show-commands';
>
> and changing the save filename:
>
>     #my $cmd = "curl -s -T $tmp_push_file $uri/$save_file";
>     my $cmd = "curl -s -T $tmp_push_file $uri";
>
> Then my vyosrancid file is just:
>
> #!/usr/bin/perl
> # Just copy the existing file to .new
> use File::Copy qw(copy);
>
> my $host = $ARGV[0];
>
> copy $host, $host . ".new";
>
> exit(0);
>
> Obviously this isn't for everyone, being a push rather than pull setup,
> but it does the job for me.
>
Of course, use whichever works best for you.  I just don't advise
scaling with this approach just in case. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150105/e860dd89/attachment.sig>

More information about the Rancid-discuss mailing list