[rancid] Huawei config collection issue AR150 router - prompt issue?

Darren Marshall darren at tuff.org.uk
Thu Nov 5 18:19:39 UTC 2015


I have an issue with config collection on  Huawei routers (AR150)

It looks to me like a prompt issue but I might be wrong,

The prompts look like -

Unprivileged prompt
<NET1111-DSL-XXXXXX.CE3>

Privileged prompt
[NET1111-DSL-XXXXXX.CE3]

I can see in the mailing lists that you did some work on h3clogin and
h3crancid? did your version of these expect the > and ] prompts , if not ,
can you point me in the right direction of where in the scripts I need to
modify the prompt, I believe it is the ] prompt which is causing issues.

If I run the following  -

/usr/local/rancid/bin/h3clogin -t 40 -c"display current-configuration"
10.1.2.3

This is the output I get -

[rancid at zuffle bin]$ /usr/local/rancid/bin/h3clogin -t 40 -c"display
current-configuration" 10.1.2.3
10.1.2.3
spawn telnet 10.1.2.3
Trying 10.1.2.3...
Connected to 10.1.2.3.
Escape character is '^]'.


Login authentication


Username:rancid
Password:
<NET1111-DSL-XXXXXX.CE3>undo terminal monitor
Info: Current terminal monitor is off.
<NET1111-DSL-XXXXXX.CE3>screen-length 0 temporary
Info: The configuration takes effect on the current user terminal interface
only.
<NET1111-DSL-XXXXXX.CE3>system-view
Enter system view, return user view with Ctrl+Z.
[NET1111-DSL-XXXXXX.CE3]
Error: TIMEOUT reached
can not find channel named "exp4"
    while executing
"close"
    ("foreach" body line 136)
    invoked from within
"foreach router [lrange $argv $i end] {
    set router [string tolower $router]
    send_user "$router\n"

    # Figure out prompt.
    # Since autoena..."
    (file "/usr/local/rancid/bin/h3clogin" line 578)

As you can see rancid manages to login to the router , run a couple of
commands then runs the system-view command to become privileged which works
but then doesn't move on to run the display current-configuration, instead
the process just times out. To me it looks like change of prompt is
confusing the expect script?.

For completeness here is the h3clogin script I am using - any help is
greatly appreciated!!

Thanks daze


#! /usr/bin/expect --
## $Id: h3clogin.in,v 1.79 2004/05/27 21:57:52 heas Exp $
##
## Copyright (C) 1997-2004 by Terrapin Communications, Inc.
## All rights reserved.
##
## This software may be freely copied, modified and redistributed
## without fee for non-commerical purposes provided that this license
## remains intact and unmodified with any RANCID distribution.
##
## There is no warranty or other guarantee of fitness of this software.
## It is provided solely "as is".  The author(s) disclaim(s) all
## responsibility and liability with respect to this software's usage
## or its effect upon hardware, computer systems, other software, or
## anything else.
##
## Except where noted otherwise, rancid was written by and is maintained by
## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin
Schutz.
##
#
# The login expect scripts were based on Erik Sherk's gwtn, by permission.
#
# h3clogin - H3C (Huawei-3Com) login
#
# Most options are intuitive for logging into a Cisco router.
# The default is to enable (thus -noenable).  Some folks have
# setup tacacs to have a user login at priv-lvl = 15 (enabled)
# so the -autoenable flag was added for this case (don't go through
# the process of enabling and the prompt will be the "#" prompt.
# The default username password is the same as the vty password.
#

# Set to 1 to enable some debugging:
exp_internal 0

# Usage line
set usage "Usage: $argv0 \[-autoenable\] \[-noenable\] \[-c command\] \
\[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p
user-password\] \
\[-s script-file\] \[-t timeout\] \[-u username\] \
\[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
\[-y ssh_cypher_type\] router \[router...\]\n"

# env(CLOGIN) may contain:
# x == do not set xterm banner or name

# Password file
set password_file $env(HOME)/.cloginrc
# Default is to login to the router
set do_command 0
set do_script 0
# The default is to automatically enable
set avenable 1
# The default is that you login non-enabled (tacacs can have you login
already
# enabled)
set avautoenable 0
# The default is to look in the password file to find the passwords.  This
# tracks if we receive them on the command line.
set do_passwd 1
set do_enapasswd 1
# attempt at platform switching.
set platform ""

# Find the user in the ENV, or use the unix userid.
if {[ info exists env(CISCO_USER) ] } {
    set default_user $env(CISCO_USER)
} elseif {[ info exists env(USER) ]} {
    set default_user $env(USER)
} elseif {[ info exists env(LOGNAME) ]} {
    set default_user $env(LOGNAME)
} else {
    # This uses "id" which I think is portable.  At least it has existed
    # (without options) on all machines/OSes I've been on recently -
    # unlike whoami or id -nu.
    if [ catch {exec id} reason ] {
send_error "\nError: could not exec id: $reason\n"
exit 1
    }
    regexp {\(([^)]*)} "$reason" junk default_user
}

# Sometimes routers take awhile to answer (the default is 10 sec)
set timeout 45

# Process the command line
for {set i 0} {$i < $argc} {incr i} {
    set arg [lindex $argv $i]

    switch  -glob -- $arg {
# Username
-u* -
-U* {
    if {! [  regexp .\[uU\](.+) $arg ignore user]} {
incr i
set username [ lindex $argv $i ]
    }
# VTY Password
} -p* -
-P* {
    if {! [  regexp .\[pP\](.+) $arg ignore userpasswd]} {
incr i
set userpasswd [ lindex $argv $i ]
    }
    set do_passwd 0
# VTY Password
} -v* -
-v* {
    if {! [  regexp .\[vV\](.+) $arg ignore passwd]} {
incr i
set passwd [ lindex $argv $i ]
    }
    set do_passwd 0
# Enable Username
} -w* -
-W* {
    if {! [  regexp .\[wW\](.+) $arg ignore enauser]} {
incr i
set enausername [ lindex $argv $i ]
    }
# Environment variable to pass to -s scripts
} -E*
{
    if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} {
set E$varname $varvalue
    } else {
send_user "\nError: invalid format for -E in $arg\n"
exit 1
    }
# Enable Password
} -e*
{
    if {! [  regexp .\[e\](.+) $arg ignore enapasswd]} {
incr i
set enapasswd [ lindex $argv $i ]
    }
    set do_enapasswd 0
# Command to run.
} -c* -
-C* {
    if {! [  regexp .\[cC\](.+) $arg ignore command]} {
incr i
set command [ lindex $argv $i ]
    }
    set do_command 1
# Expect script to run.
} -s* -
-S* {
    if {! [  regexp .\[sS\](.+) $arg ignore sfile]} {
incr i
set sfile [ lindex $argv $i ]
    }
    if { ! [ file readable $sfile ] } {
send_user "\nError: Can't read $sfile\n"
exit 1
    }
    set do_script 1
# 'ssh -c' cypher type
} -y* -
-Y* {
    if {! [  regexp .\[eE\](.+) $arg ignore cypher]} {
incr i
set cypher [ lindex $argv $i ]
    }
# alternate cloginrc file
} -f* -
-F* {
    if {! [ regexp .\[fF\](.+) $arg ignore password_file]} {
incr i
set password_file [ lindex $argv $i ]
    }
# Timeout
} -t* -
-T* {
    if {! [ regexp .\[tT\](.+) $arg ignore timeout]} {
incr i
        set timeout [ lindex $argv $i ]
    }
# Command file
} -x* -
-X {
    if {! [  regexp .\[xX\](.+) $arg ignore cmd_file]} {
incr i
set cmd_file [ lindex $argv $i ]
    }
    if [ catch {set cmd_fd [open $cmd_file r]} reason ] {
send_user "\nError: $reason\n"
exit 1
    }
    set cmd_text [read $cmd_fd]
    close $cmd_fd
    set command [join [split $cmd_text \n] \;]
    set do_command 1
# Do we enable?
} -noenable {
    set avenable 0
# Does tacacs automatically enable us?
} -autoenable {
    set avautoenable 1
    set avenable 0
} -* {
    send_user "\nError: Unknown argument! $arg\n"
    send_user $usage
    exit 1
} default {
    break
}
    }
}
# Process routers...no routers listed is an error.
if { $i == $argc } {
    send_user "\nError: $usage"
}

# Only be quiet if we are running a script (it can log its output
# on its own)
if { $do_script } {
    log_user 0
} else {
    log_user 1
}

#
# Done configuration/variable setting.  Now run with it...
#

# Sets Xterm title if interactive...if its an xterm and the user cares
proc label { host } {
    global env
    # if CLOGIN has an 'x' in it, don't set the xterm name/banner
    if [info exists env(CLOGIN)] {
if {[string first "x" $env(CLOGIN)] != -1} { return }
    }
    # take host from ENV(TERM)
    if [info exists env(TERM)] {
if [regexp \^(xterm|vs) $env(TERM) ignore ] {
    send_user "\033]1;[lindex [split $host "."] 0]\a"
    send_user "\033]2;$host\a"
}
    }
}

# This is a helper function to make the password file easier to
# maintain.  Using this the password file has the form:
# add password sl* pete cow
# add password at* steve
# add password * hanky-pie
proc add {var args} { global int_$var ; lappend int_$var $args}
proc include {args} {
    global env
    regsub -all "(^{|}$)" $args {} args
    if { [ regexp "^/" $args ignore ] == 0 } {
set args $env(HOME)/$args
    }
    source_password_file $args
}

proc find {var router} {
    upvar int_$var list
    if { [info exists list] } {
foreach line $list {
    if { [string match [lindex $line 0] $router ] } {
return [lrange $line 1 end]
    }
}
    }
    return {}
}

# Loads the password file.  Note that as this file is tcl, and that
# it is sourced, the user better know what to put in there, as it
# could install more than just password info...  I will assume however,
# that a "bad guy" could just as easy put such code in the clogin
# script, so I will leave .cloginrc as just an extention of that script
proc source_password_file { password_file } {
    global env
    if { ! [file exists $password_file] } {
send_user "\nError: password file ($password_file) does not exist\n"
exit 1
    }
    file stat $password_file fileinfo
    if { [expr ($fileinfo(mode) & 007)] != 0000 } {
send_user "\nError: $password_file must not be world readable/writable\n"
exit 1
    }
    if [ catch {source $password_file} reason ] {
send_user "\nError: $reason\n"
exit 1
    }
}

# Log into the router.
proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
    global spawn_id in_proc do_command do_script platform
    global prompt u_prompt p_prompt e_prompt sshcmd
    set in_proc 1
    set uprompt_seen 0

    # try each of the connection methods in $cmethod until one is successful
    set progs [llength $cmethod]
    foreach prog [lrange $cmethod 0 end] {
if [string match "telnet*" $prog] {
    regexp {telnet(:([^[:space:]]+))*} $prog command suffix port
    if {"$port" == ""} {
set retval [ catch {spawn telnet $router} reason ]
    } else {
set retval [ catch {spawn telnet $router $port} reason ]
    }
    if { $retval } {
send_user "\nError: telnet failed: $reason\n"
exit 1
    }
} elseif [string match "ssh*" $prog] {
    regexp {ssh(:([^[:space:]]+))*} $prog command suffix port
    if {"$port" == ""} {
set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router}
reason ]

    } else {
set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user -p $port
$router} reason ]
    }
    if { $retval } {
send_user "\nError: $sshcmd failed: $reason\n"
exit 1
    }
} elseif ![string compare $prog "rsh"] {
    if [ catch {spawn rsh -l $user $router} reason ] {
send_user "\nError: rsh failed: $reason\n"
exit 1
    }
} else {
    puts "\nError: unknown connection method: $prog"
    return 1
}
incr progs -1
sleep 0.3

# This helps cleanup each expect clause.
expect_after {
    timeout {
send_user "\nError: TIMEOUT reached\n"
catch {close}; wait
if { $in_proc} {
    return 1
} else {
    continue
}
    } eof {
send_user "\nError: EOF received\n"
catch {close}; wait
if { $in_proc} {
    return 1
} else {
    continue
}
    }
}

    # Here we get a little tricky.  There are several possibilities:
    # the router can ask for a username and passwd and then
    # talk to the TACACS server to authenticate you, or if the
    # TACACS server is not working, then it will use the enable
    # passwd.  Or, the router might not have TACACS turned on,
    # then it will just send the passwd.
    # if telnet fails with connection refused, try ssh
    expect {
-re "(Connection refused|Secure connection \[^\n\r]+ refused)" {
    catch {close}; wait
    if !$progs {
send_user "\nError: Connection Refused ($prog): $router\n"
return 1
    }
}
-re "(Connection closed by|Connection to \[^\n\r]+ closed)" {
    catch {close}; wait
    if !$progs {
send_user "\nError: Connection closed ($prog): $router\n"
return 1
    }
}
eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 }
-nocase "unknown host\r" {
    catch {close};
    send_user "\nError: Unknown host $router\n"; wait; return 1
}
"Host is unreachable" {
    catch {close};
    send_user "\nError: Host Unreachable: $router\n"; wait; return 1
}
"No address associated with name" {
    catch {close};
    send_user "\nError: Unknown host $router\n"; wait; return 1
}
-re "(Host key not found |The authenticity of host .* be
established).*\(yes\/no\)\?" {
    send "yes\r"
    send_user "\nHost $router added to the list of known hosts.\n"
    exp_continue }
-re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?"   {
    send "no\r"
    send_user "\nError: The host key for $router has changed.  Update the
SSH known_hosts file accordingly.\n"
    return 1 }
-re "Offending key for .* \(yes\/no\)\?"   {
    send "no\r"
    send_user "\nError: host key mismatch for $router.  Update the SSH
known_hosts file accordingly.\n"
    return 1 }
-re "(denied|Sorry)" {
  send_user "\nError: Check your passwd for $router\n"
  catch {close}; wait; return 1
}
"Login failed" {
  send_user "\nError: Check your passwd for $router\n"
  return 1
}
-re "% (Bad passwords|Authentication failed)" {
  send_user "\nError: Check your passwd for $router\n"
  return 1
}
"Press any key to continue." {
  # send_user "Pressing the ANY key\n"
  send "\r"
  exp_continue
}
-re "Enter Selection: " {
  # Catalyst 1900s have some lame menu.  Enter
  # K to reach a command-line.
  send "K\r"
  exp_continue;
}
-re "@\[^\r\n]+ $p_prompt" {
  # ssh pwd prompt
  sleep 1
  send "$userpswd\r"
  exp_continue
}
-re "$u_prompt" {
  send "$user\r"
  set uprompt_seen 1
  exp_continue
}
-re "$p_prompt" {
  sleep 1
  if {$uprompt_seen == 1} {
send "$userpswd\r"
  } else {
send "$passwd\r"
  }
  exp_continue
}
-re "$prompt" { break; }
"Login invalid" {
  send_user "\nError: Invalid login: $router\n";
  catch {close}; wait; return 1
}
     }
    }

    set in_proc 0
    return 0
}

# Enable
proc do_enable { enauser enapasswd } {
    global prompt in_proc
    global u_prompt e_prompt
    set in_proc 1

    set enacmd "system-view"
    send "$enacmd\r"

    expect {
-re "$u_prompt" { send "$enauser\r"; exp_continue}
-re "$e_prompt" { send "$enapasswd\r"; exp_continue}
        "(enable)"      { set prompt "> (enable) " }
-re "(denied|Sorry|Incorrect)" {
  # % Access denied - from local auth and poss. others
  send_user "\nError: Check your Enable passwd\n";
  return 1
}
"% Error in authentication" {
  send_user "\nError: Check your Enable passwd\n"
  return 1
}
"% Bad passwords" {
  send_user "\nError: Check your Enable passwd\n"
  return 1
}
    }
    # We set the prompt variable (above) so script files don't need
    # to know what it is.
    set in_proc 0
    return 0
}

# Run commands given on the command line.
proc run_commands { prompt command } {
    global in_proc platform
    set in_proc 1

        # escape any parens in the prompt, such as "(enable)"
        regsub -all {[][)(]} $prompt {\\&} reprompt

expect {
    -re $reprompt {}
    -re "\[\n\r]+" { exp_continue }
}

    # this is the only way i see to get rid of more prompts in o/p..grrrrr
    log_user 0
    # Is this a multi-command?
    if [ string match "*\;*" "$command" ] {
set commands [split $command \;]
set num_commands [llength $commands]
        # The pager can not be turned off on some 3Com/H3C, so we have to
look
        # for the "More" prompt.
for {set i 0} {$i < $num_commands} { incr i} {
    send "[subst -nocommands [lindex $commands $i]]\r"
    expect {
-re "\b+" { exp_continue }
-re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)"
}
-re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)"
  exp_continue }
-re "\[\n\r]+" { send_user -- "$expect_out(buffer)"
  exp_continue }
-re "^  ---- More ----.*\[^\n\r]*" {
  sleep 0.1
  send " "
  exp_continue }
    }

}
    } else {
        # The pager can not be turned off on some 3Com/H3C, so we have to
look
        # for the "More" prompt.
send "[subst -nocommands $command]\r"
expect {
-re "\b+" { exp_continue }
-re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)"
}
-re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)"
  exp_continue }
-re "\[\n\r]+" { send_user -- "$expect_out(buffer)"
  exp_continue }
-re "^  ---- More ----.*\[^\n\r]*" {
  sleep 0.1
  send " "
  exp_continue }
}
    }

    log_user 1

    send "quit\r"
    expect {
-re "^\[^\n\r *]*$reprompt" {
                                                  # H3C products
  # return to non-enabled mode
  # on exit in enabled mode.
  send "quit\r"
  exp_continue;
}
# TODO: we will need to do this too:
# "Do you wish to save your configuration changes" {
#   send "n\r"
#   exp_continue
# }
-re "\[\n\r]+" { exp_continue }
# hwlogin+mod:
-re "\[^\n\r *]Note:" { return 0 }
timeout { return 0 }
eof { return 0 }
    }
    set in_proc 0
}

#
# For each router... (this is main loop)
#
source_password_file $password_file
set in_proc 0
foreach router [lrange $argv $i end] {
    set router [string tolower $router]
    send_user "$router\n"

    # Figure out prompt.
    # Since autoenable is off by default, if we have it defined, it
    # was done on the command line. If it is not specifically set on the
    # command line, check the password file.
    if $avautoenable {
set autoenable 1
set enable 0
# hwlogin:
#set prompt " \\]\\"
set prompt ">"
    } else {
set ae [find autoenable $router]
if { "$ae" == "1" } {
    set autoenable 1
    set enable 0
# hwlogin:
    set prompt ">"
} else {
    set autoenable 0
    set enable $avenable
    set prompt ">"
}
    }

    # look for noenable option in .cloginrc
# Strath: but I do not know why I made this change, and it does not appear
# to be reflected in other *rancid in svn trunk.
#    if [find noenable $router] != ""
    if { [find noenable $router] == "1" } {
send_user "\nset enable 0.\n"
set enable 0
    }

    # Figure out passwords
    if { $do_passwd || $do_enapasswd } {
      set pswd [find password $router]
      if { [llength $pswd] == 0 } {
send_user "\nError: no password for $router in $password_file.\n"
continue
      }
      if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd]
< 2 } {
send_user "\nError: no enable password for $router in $password_file.\n"
continue
      }
      set passwd [join [lindex $pswd 0] ""]
      set enapasswd [join [lindex $pswd 1] ""]
    }

    # Figure out username
    if {[info exists username]} {
      # command line username
      set ruser $username
    } else {
      set ruser [join [find user $router] ""]
      if { "$ruser" == "" } { set ruser $default_user }
    }

    # Figure out username's password (if different from the vty password)
    if {[info exists userpasswd]} {
      # command line username
      set userpswd $userpasswd
    } else {
      set userpswd [join [find userpassword $router] ""]
      if { "$userpswd" == "" } { set userpswd $passwd }
    }

    # Figure out enable username
    if {[info exists enausername]} {
      # command line enausername
      set enauser $enausername
    } else {
      set enauser [join [find enauser $router] ""]
      if { "$enauser" == "" } { set enauser $ruser }
    }

    # Figure out prompts
    set u_prompt [find userprompt $router]
    if { "$u_prompt" == "" } {
set u_prompt "(Username|Login|login|user name):"
    } else {
set u_prompt [join [lindex $u_prompt 0] ""]
    }
    set p_prompt [find passprompt $router]
    if { "$p_prompt" == "" } {
set p_prompt "(\[Pp]assword|passwd):"
    } else {
set p_prompt [join [lindex $p_prompt 0] ""]
    }
    set e_prompt [find enableprompt $router]
    if { "$e_prompt" == "" } {
set e_prompt "\[Pp]assword:"
    } else {
set e_prompt [join [lindex $e_prompt 0] ""]
    }

    # Figure out cypher type
    if {[info exists cypher]} {
        # command line cypher type
        set cyphertype $cypher
    } else {
        set cyphertype [find cyphertype $router]
        if { "$cyphertype" == "" } { set cyphertype "3des" }
    }

    # Figure out connection method
    set cmethod [find method $router]
    if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} }

    # Figure out the SSH executable name
    set sshcmd [find sshcmd $router]
    if { "$sshcmd" == "" } { set sshcmd {ssh} }

    # Login to the router
    if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod
$cyphertype]} {
continue
    }

# Disable log junk being sent to terminal: must be done before $enacmd is
run
# It would be nice for this to be setable in .cloginrc
    send "undo terminal monitor\r"
    expect -re $prompt  {}

# Turn session paging off; this only works on models like 3Com 4800G and H3C
# Other models like 3Com 5500 have a screen-length command that only works
on
# a vty basis
    #send "screen-length disable\r"
    send "screen-length 0 temporary\r"

    if { $enable } {
if {[do_enable $enauser $enapasswd]} {
    if { $do_command || $do_script } {
close; wait
continue
    }
}
    }
    # we are logged in, now figure out the full prompt
    send "\r"
    expect {
-re "\[\r\n]+" { exp_continue; }
-re "^.+$prompt" { set junk $expect_out(0,string);
  regsub -all "\[\]\[]" $junk {\\&} prompt;
}
-re "^.+> \\\(enable\\\)" {
  set junk $expect_out(0,string);
  regsub -all "\[\]\[]" $junk {\\&} prompt;
}
    }

    if { $do_command } {
if {[run_commands $prompt $command]} {
    continue
}
    } elseif { $do_script } {
#       # If the prompt is (enable), then we are on a switch and the
#       # command is "set length 0"; otherwise its "term length 0".
#       if [ regexp -- ".*> .*enable" "$prompt" ] {
#           send "set length 0\r"
#           send "set logging session disable\r"
#       } else {
#           send "term length 0\r"
#       }
        expect -re $prompt      {}
source $sfile
close
    } else {
label $router
log_user 1
interact
    }

    # End of for each router
    wait
    sleep 0.3
}
exit 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20151105/36add4c9/attachment.html>


More information about the Rancid-discuss mailing list