|
| News | Profile | Code | Photography | Looking Glass | Projects | System Statistics | Uncategorized |
Blog |
RANCID (Really Awesome New Cisco confIg Differ) is a collection of backup scripts for Cisco, Juniper, NetScreen, Force10, etc. routers and firewalls. We used it at work over a year ago, before going with some other shiny-looking commercial application. Back then, the Debian packages weren't all that mature, so we ended up doing a source-based install, which worked, but didn't allow for easy upgrading.
Since a year has passed, and I figured the Debian packages were better, I decided to try it out on my network. Here's a blazing fast howto using the official Debian packages, without any bad hacks:
Simple, just get the required packages:
# apt-get install rancid-core rancid-utils
When asked by debconf if this is a new installation, please answer yes. The rancid user will be created, assigned no shell (why?), and given a home directory of /var/lib/rancid. There should only be two symlinks in that directory:
atlantis:/var/lib/rancid# ls -lah total 32K drwxr-xr-x 6 rancid rancid 4.0K 2008-01-24 00:05 . drwxr-xr-x 35 root root 4.0K 2008-01-23 22:42 .. lrwxrwxrwx 1 root root 19 2008-01-23 22:42 bin -> /usr/lib/rancid/bin lrwxrwxrwx 1 root root 16 2008-01-23 22:42 logs -> ../../log/rancid
That's it, RANCID is installed. Now, you need to configure it.
Let's say you want to backup four devices, 2x Juniper routers, 1x Cisco router, and 1x Juniper firewall (NetScreen). For simplicity, let's also say they contact some central authentication server (e.g. RADIUS) and all share the same credentials. Let's simplify the situation even further, and assume that this set of credentials is given level 15 access from the authentication server, so logging into the Cisco router automatically gives you enable access. Oh yeah, let's also assume that every device accepts SSH logins.
Knowing this, we create a cloginrc file in /var/lib/rancid/.cloginrc. We're going to define our credentials and authentication method in here. The third argument is the devices we want to apply these options to, in our case * is everything:
add autoenable * 1 add user * ranciduser add password * rancidpass add method * ssh
Replace ranciduser and rancidpass with your credentials. The do the following to make RANCID happy, and a little more secure:
# chown rancid:rancid /var/lib/rancid/.cloginrc # chmod 640 /var/lib/rancid/.cloginrc
We'll call the two Juniper routers cesium and chromium, the Cisco router carbon, and the Juniper firewall xenon (I hope your routers are labeled something like cr0.nycmny1, and not random elements from the periodic table). Anyway…
RANCID needs groups for devices, so the three routers will go into the routers group, and the firewall, firewalls. Edit /etc/rancid/rancid.conf, and add this line:
LIST_OF_GROUPS="routers firewalls"
Now, let's tell RANCID to create the CVS (RANCID uses CVS by default) repositories:
sudo -u rancid -H /var/lib/rancid/bin/rancid-cvs
You need to use sudo w/the -H flag, since the rancid user has no shell. It'll spit out a couple messages that will hopefully indicate success.
Now, you need to edit the router.db file for each group. Here's what they should look like:
# cat /var/lib/rancid/firewalls/router.db xenon:netscreen:up # cat /var/lib/rancid/routers/router.db cesium:cisco:up chromium:cisco:up carbon:juniper:up
The file is hostname (or IP):type:status. Let's assume DNS is setup, in this case.
Now, run a test:
# sudo -u rancid -H /usr/bin/rancid-run
Wait a minute or so, and then check the log file for each group. Hopefully it'll look like this:
# cat /var/lib/rancid/logs/routers.20080123.234959 starting: Wed Jan 23 23:49:59 EST 2008 Trying to get all of the configs. All routers sucessfully completed. cvs diff: Diffing . cvs diff: Diffing configs cvs commit: Examining . cvs commit: Examining configs /var/lib/rancid/CVS/routers/configs/chromium,v <-- configs/chromium new revision: 1.2; previous revision: 1.1 /var/lib/rancid/CVS/routers/configs/cesium,v <-- configs/cesium new revision: 1.2; previous revision: 1.1 /var/lib/rancid/CVS/routers/configs/carbon,v <-- configs/carbon new revision: 1.2; previous revision: 1.1
The firewall one should look similar, but only with one device. Great success!
The Debian package comes with a sample crontab in /usr/share/doc/rancid-core/examples/cron.example. It seems appropriate, so you can place its contents into a crontab for the rancid user:
sudo -u rancid -H crontab -e
I assume you have Apache installed. If not, grab apache2-mpm-prefork, or one of the threading models. Then:
% sudo apt-get install cvsweb
According to README.Debian, you'll have to add an alias to your Apache configuration (/etc/apache2/sites-enabled/000-default, if you don't have any other vhosts) to get the icond and stylesheets:
Alias /cvsweb/ /usr/share/cvsweb/
And, if you want to protect your configurations, I suggest either only allowing certain subnets (below) or creating an htdigest:
<LocationMatch "^/cgi-bin/cvsweb"> Order deny,allow Deny from all Allow from 10.22.33.0/24 </LocationMatch>
Put that in 000-default, too.
That's it, you're done!
Eep, that's a typo. Should be "create a .cloginrc file in /var/lib/rancid". Fixed, now - thanks for pointing it out.
When installed rancid (debian etch) it asked to have the .cloginrc under the /root folder to work. And to have the right permissions:
# chown rancid:rancid /root/.cloginrc
# chmod 640 /root/.cloginrc
BTW this link might help if no RADIUS or TACACS is being used
http://www.shrubbery.net/pipermail/rancid-discuss/2007-November/002564.html
What is I wanted to enforce user authentication on top of that (i.e. user will be prompted for username/password combination when accessing the CVS repository)?
In my case I have add this line to /etc/cvsweb/cvsweb.conf
@CVSrepositories = (
'local' => ['Local Repository', '/var/lib/rancid/CVS'],
}
and access http like this:
http://my.ip.address/cgi-bin/cvsweb/
New comments are currently disabled for this entry.
     |
This HTML for this page was generated in 0.001 seconds. |
Are you sure about the "create a cloginrc file in /var/lib/network/.cloginrc"