RANCID is a software package that allows for versionning of Cisco (and other devices) configurations. It would be useful for us to monitor the configuration of existing switches.

See also ConfigurationManagementService.


In order to avoid exposing switch passwords on a server that's not already containing this kind of sensitive information, we install RANCID on puppet.koumbit.net.

Debian install

The latest version of RANCID finally supports storing changes in git. It's available on jessie-backports.

apt install -t jessie-backports rancid


Debian Administration has a nice howto on how to setup TACAS+ and RANCID. Not sure we want to go the TACAS way yet (as there is no debian package), but it's also interesting...


--- rancid.conf.orig    2008-11-12 12:59:10.000000000 -0500
+++ rancid.conf 2008-11-12 13:00:33.000000000 -0500
@@ -21,14 +21,14 @@
 BASEDIR=/var/lib/rancid; export BASEDIR
 PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
 # Location of the CVS/SVN repository.  Be careful changing this.
 # Location of log files produced by rancid-run(1).
 # Select which RCS system to use, "cvs" (default) or "svn".  Do not change
 # this after CVSROOT has been created with rancid-cvs.  Changing between these
 # requires manual conversions.
-RCSSYS=cvs; export RCSSYS
+RCSSYS=git; export RCSSYS
 # if ACLSORT is NO, access-lists will NOT be sorted.
@@ -64,6 +64,7 @@
 #LIST_OF_GROUPS="sl joebobisp"
 # more groups...
 #LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp"
 # For each group, define a list of people to receive the diffs.
 # in sendmail's /etc/aliases.

Aliases for -noc were added through Puppet. This config file is also in Puppet now.

Clogin configuration

We need to setup a .clogin file with the passwords:

root@puppet:/var/lib/rancid# touch .cloginrc
root@puppet:/var/lib/rancid# chmod 600 .cloginrc
root@puppet:/var/lib/rancid# chown rancid:rancid .cloginrc 

The format of the config is as follows:

add password * <userpass> <enablepass>

The first password is provided at the first prompt, the enable one at the second prompt. This file is now managed through puppet from /etc/puppet/files/cloginrc.

This configuration was done at the switch using:

no password manager
password manager # enter <enablepass> here
password operator user-name rancid # enter <userpass> here

Obviously, this is a major PITA at this point.

Once that is done, you should be able to login automatically to the switch:

su rancid
/usr/lib/rancid/bin/clogin sw3-canix2.koumbit.net

This should give you a enable prompt if all goes well. If not, you goofed somewhere.

Git repo setup

This is done automatically by the rancid-cvs command:

sudo -u rancid /usr/lib/rancid/bin/rancid-cvs

This command needs to be run every time the GROUPS setting is modified. Puppet automatically manages that so it shouldn't be required to run it manually.

The rancid-cvs executable conveniently creates a clone in /var/lib/rancid/<groupname> you can already use. In there the router.db config file needs to be edited and committed. The current content of this file is:


This could be PutInPuppet, but then we would also require the groups to be in puppet... The OS field possible values are details in the rancid.db(5) manpage.

Main cronjob

At this point, rancid-run should do the right thing and commit your configurations to the git repository, as well as send changes out to the right emails.

The package in jessie-backports creates a file /etc/cron.d/rancid that needs to be edited to uncomment the cronjobs.



RancidManagement (last edited 2017-04-01 04:07:04 by GabrielFilion)