RANCID is a software package that allows for versionning of Cisco (and other devices) configurations. It would be useful for us to monitor the configuration of existing switches.
See also ConfigurationManagementService.
In order to avoid exposing switch passwords on a server that's not already containing this kind of sensitive information, we install RANCID on puppet.koumbit.net.
The latest version of RANCID finally supports storing changes in git. It's available on jessie-backports.
apt install -t jessie-backports rancid
--- rancid.conf.orig 2008-11-12 12:59:10.000000000 -0500 +++ rancid.conf 2008-11-12 13:00:33.000000000 -0500 @@ -21,14 +21,14 @@ BASEDIR=/var/lib/rancid; export BASEDIR PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH # Location of the CVS/SVN repository. Be careful changing this. -CVSROOT=$BASEDIR/CVS; export CVSROOT +CVSROOT=$BASEDIR/git; export CVSROOT # Location of log files produced by rancid-run(1). LOGDIR=$BASEDIR/logs; export LOGDIR # # Select which RCS system to use, "cvs" (default) or "svn". Do not change # this after CVSROOT has been created with rancid-cvs. Changing between these # requires manual conversions. -RCSSYS=cvs; export RCSSYS +RCSSYS=git; export RCSSYS # # if ACLSORT is NO, access-lists will NOT be sorted. #ACLSORT=YES; export ACLSORT @@ -64,6 +64,7 @@ #LIST_OF_GROUPS="sl joebobisp" # more groups... #LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp" +LIST_OF_GROUPS="noc" # # For each group, define a list of people to receive the diffs. # in sendmail's /etc/aliases.
Aliases for -noc were added through Puppet. This config file is also in Puppet now.
We need to setup a .clogin file with the passwords:
root@puppet:/var/lib/rancid# touch .cloginrc root@puppet:/var/lib/rancid# chmod 600 .cloginrc root@puppet:/var/lib/rancid# chown rancid:rancid .cloginrc
The format of the config is as follows:
add password * <userpass> <enablepass>
The first password is provided at the first prompt, the enable one at the second prompt. This file is now managed through puppet from /etc/puppet/files/cloginrc.
This configuration was done at the switch using:
no password manager password manager # enter <enablepass> here password operator user-name rancid # enter <userpass> here
Obviously, this is a major PITA at this point.
Once that is done, you should be able to login automatically to the switch:
su rancid /usr/lib/rancid/bin/clogin sw3-canix2.koumbit.net ...
This should give you a enable prompt if all goes well. If not, you goofed somewhere.
Git repo setup
This is done automatically by the rancid-cvs command:
sudo -u rancid /usr/lib/rancid/bin/rancid-cvs
This command needs to be run every time the GROUPS setting is modified. Puppet automatically manages that so it shouldn't be required to run it manually.
The rancid-cvs executable conveniently creates a clone in /var/lib/rancid/<groupname> you can already use. In there the router.db config file needs to be edited and committed. The current content of this file is:
This could be PutInPuppet, but then we would also require the groups to be in puppet... The OS field possible values are details in the rancid.db(5) manpage.
At this point, rancid-run should do the right thing and commit your configurations to the git repository, as well as send changes out to the right emails.
The package in jessie-backports creates a file /etc/cron.d/rancid that needs to be edited to uncomment the cronjobs.