[rancid] Rancid via proxy host

Alan McKinnon alan.mckinnon at gmail.com
Wed Oct 12 14:04:04 UTC 2016


That makes more sense thanks.

So each of those netxms can be configured to act as an ssh
bastion/jumphost to tunnel your ssh traffic through to the network
devices. The whole scheme can get a touch complex with several moving
parts, but as long as you have a pretty diagram laying out the design,
it should be easy enough for you and your colleagues to manage.

These things are usually very site-specific so I don't want to get into
too much detail, and especially don't want to discuss what ${Joe Random
Blogger} did, but essentially it's along these lines:

For each customer, set up ssh forwarding on the netxms machine
(ssh -L), one unique port per device. Put those connection details into
~/.ssh/config for each fqdn so that rancid ends up getting to the right
place with the normal
clogin <fqdn>

This is all pretty standard ssh goodness, the man pages cover it quite
extensively.

Of course you also have to make sure the VPN is up if your traffic is
going to cross that. And finally you'll be punching holes in customer's
network firewalls to make this work so clearing it with the customer is
a good idea :-)


On 12/10/2016 15:43, Adrian A. Dimitrov wrote:
> Hello Alan ,
> 
> Thanks for the fast reply! Usually to connect to the devices via ssh we are using VPN (connecting via cisco anyconnect client).
> 
> To clear my thoughts out.
> We are using monitoring system netxms. The server is in our network (linux debian) and for each client we have linux machines (netxms agents) installed (in the clients environment). So the server is communicating with the agents on a specific port to collect the data.  My idea is somehow to use these machines and make the backups through them.
> 
> Is this possible somehow. We found this article http://ingenious-excerpts.blogspot.bg/2013/07/rancid-and-relays-using-usercmd-patch.html , and I tried to configure this, but with no success. 
> 
> Best Regards,
> Adrian Dimitrov
> 
> 
> -----Original Message-----
> From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Wednesday, October 12, 2016 3:12 PM
> To: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Rancid via proxy host
> 
> Assuming that you have no direct ssh path from your environment to the
> customer's:
> 
> First idea that comes to mind is to use ssh for connecting to all devices, then leverage the ssh proxy/forwarding features configurable in ~/.ssh/config
> 
> Telnet can be more tricky, you might end up having to use a range or ports forwarded to <customer_env>:23 or similar.
> 
> This one statement of yours is nonsensical:
> "For this purpose I will use our monitoring system which has it’s own agents in each customer environment."
> That makes no sense wrt rancid, please elaborate on your thoughts how you reckon this could work? Such as, what connectivity exists between you and the customers?
> 
> 
> 
> 
> On 12/10/2016 13:51, Adrian A. Dimitrov wrote:
>> Hello All ,
>>
>>  
>>
>> I am new to rancid. I am still testing it, but so far is working 
>> perfectly fine for me.
>>
>>  
>>
>> Now what I need is to back up the configuration of devices that are 
>> beyond my network. My idea is to install only one rancid server in our 
>> network and to make and collect the back ups from remote hosts In the 
>> customers environment. For this purpose I will use our monitoring 
>> system which has it’s own agents in each customer environment. How can 
>> I do this? I am using the latest version downloaded from the official site.
>>
>>  
>>
>> Thanks.
>>
>>  
>>
>> Best Regards,
>>
>> Adrian Dimitrov
>>
>> eFellows-Mark-RGB_Sign
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>>
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the Rancid-discuss mailing list