RANCID is a software package that allows for versionning of Cisco (and other devices) configurations. It would be useful for us to monitor the configuration of existing switches.

See also ConfigurationManagementService.

Installation

OpenBSD install

A basic installation was performed on rtr1-canix2.koumbit.net but will be rolled back because it's not necessarily the right place for it (maybe log.koumbit.net would be better?). The installation was performed and controlled by Puppet.

(!) This was since then removed and reinstalled on puppet.koumbit.net, see below.

Debian install

The Debian package is in non-free in etch, so we need to build our own backport. This is done on builder.koumbit.net:

apt-src -b install rancid-core
dput builder rancid...

Two modifications were performed on the package:

  1. the build process was modified to make the ping test in ./configure ping the IP of builder since 127.0.0.1 doesn't work in a vserver

  2. the version number was bumped and the distribution set to 'stable' so it is uploaded to the right repo on debian.koumbit.net

The package is now available on debian.koumbit.net and will be tested on puppet.koumbit.net. The following packages were installed, manually for now:

rancid-core rancid-cgi diffstat telnet

Configuration

Debian Administration has a nice howto on how to setup TACAS+ and RANCID. Not sure we want to go the TACAS way yet (as there is no debian package), but it's also interesting...

Rancid.conf

--- rancid.conf.orig    2008-11-12 12:59:10.000000000 -0500
+++ rancid.conf 2008-11-12 13:00:33.000000000 -0500
@@ -21,14 +21,14 @@
 BASEDIR=/var/lib/rancid; export BASEDIR
 PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
 # Location of the CVS/SVN repository.  Be careful changing this.
-CVSROOT=$BASEDIR/CVS; export CVSROOT
+CVSROOT=$BASEDIR/svn; export CVSROOT
 # Location of log files produced by rancid-run(1).
 LOGDIR=$BASEDIR/logs; export LOGDIR
 #
 # Select which RCS system to use, "cvs" (default) or "svn".  Do not change
 # this after CVSROOT has been created with rancid-cvs.  Changing between these
 # requires manual conversions.
-RCSSYS=cvs; export RCSSYS
+RCSSYS=svn; export RCSSYS
 #
 # if ACLSORT is NO, access-lists will NOT be sorted.
 #ACLSORT=YES; export ACLSORT
@@ -64,6 +64,7 @@
 #LIST_OF_GROUPS="sl joebobisp"
 # more groups...
 #LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp"
+LIST_OF_GROUPS="noc"
 #
 # For each group, define a list of people to receive the diffs.
 # in sendmail's /etc/aliases.

Aliases for -noc were added through Puppet. This config file is also in Puppet now.

Clogin configuration

We need to setup a .clogin file with the passwords:

root@puppet:/var/lib/rancid# touch .cloginrc
root@puppet:/var/lib/rancid# chmod 600 .cloginrc
root@puppet:/var/lib/rancid# chown rancid:rancid .cloginrc 

The format of the config is as follows:

add password * <userpass> <enablepass>

The first password is provided at the first prompt, the enable one at the second prompt. This file is now managed through puppet from /etc/puppet/files/cloginrc.

This configuration was done at the switch using:

no password manager
password manager # enter <enablepass> here
password operator user-name rancid # enter <userpass> here

Obviously, this is a major PITA at this point.

Once that is done, you should be able to login automatically to the switch:

su rancid
/usr/lib/rancid/bin/clogin sw3-canix2.koumbit.net
...

This should give you a enable prompt if all goes well. If not, you goofed somewhere.

SVN repo setup

This is done automatically by the rancid-cvs command:

su rancid
/usr/lib/rancid/bin/rancid-cvs

This command needs to be ran every time the GROUPS setting is modified. Puppet automatically manages that so it shouldn't be required to run it manually.

The svn extension conveniently creates a svn checkout in /var/lib/rancid/<groupname> you can already use. In there the router.db config file needs to be edited and committed. The current content of this file is:

#hostname:os:status
sw3-canix2.koumbit.net:hp:up

This could be PutInPuppet, but then we would also require the groups to be in puppet... The OS field possible values are details in the rancid.db(5) manpage.

Main cronjob

At this point, rancid-run should do the right thing and commit your configurations to the SVN repository, as well as send changes out to the right emails.

It needs to be added as a cronjob:

# m h dom mon dow user command
# run config differ hourly
1 * * * * rancid /usr/bin/rancid-run
# clean out config differ logs
50 23 * * * rancid /usr/bin/find /var/lib/rancid/logs -type f -mtime +2 -exec rm {} ;

This has been submitted to the package maintainer: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505472

References


PutInPuppet

RancidManagement (last edited 2009-11-05 16:23:36 by localhost)