|
Home | Reviews | Speed Test | Tools | News | Forums | Info | About | Join |
Free Software Linux RANCID I initially set out to research a tool that could be used to accomplish the above goals, and quickly came across RANCID. From the RANCID website, it does the following: * logs in to each configured device, * runs various commands to get the information that will be saved, * cooks the output; re-formats, removes oscillating or increasing data, * emails any differences from the codevious collection to a mail list, * and finally commits those changes to the version control system With a little further investigation, I decided that it would be perfect for our needs, and with the addition of a little scripting, could be made into an (almost) fully automated system for editing configurations, and recording those edits. The following is a document of the process I went through to build the system that is now working for us: RANCID Installation Build the server I started with a vanilla installation of Ubuntu as the OS to host the RANCID installation and repository. The instructions on the RANCID website are specific to CentOS, but I'm more familiar with Ubuntu, so I went with that. I won't go into the details of the installation, save to say that you'll want the server version remember to update it after the install completes. Check your networking You'll need to be able to access the devices that you intend to back up from the new server. It's worth making sure that everything here is correct at the start, as it'll have you headaches later. It's easiest to add entries to your hosts file for all the devices that you intend to check. Open /etc/hosts, and you should see something like this: Add a new entry for each device that you want RANCID to check: 1.1.1.1 firewall.nottingham.com fw-not Make sure that you can ping all the devices you add by both IP and by hostname. If you can't, you'll need to resolve the network issues before RANCID will be able to log into the devices. It's worth checking that you can SSH into the devices at this stage too. In addition, you may well need to edit the device configs to allow this from your new server. Get Sendmail working The first job is to install Sendmail, so RANCID can email you with changes to configs as they're made: apt-get install sendmail Next, configure sendmail to relay via your SMTP server, by adding the following to /etc/mail/sendmail.mc: define('SMART_HOST','your-mail-server.com')dnl Run the following commands to put your new config into Sendmail: cd /etc/mail m4 sendmail.mc > sendmail.cf make service sendmail restart Make sure that you authorise your RANCID server to relay on your SMTP server, otherwise your mail won't get through. If you can telnet to the email server, you're on the right track. Finally, you can test your sendmail config: sendmail -v user@domainname < test.mail The test.mail contains the following: Subject: test mail first line of your message [blank line] If all is working, you will receive the test email. If not, Google is your friend. Until Sendmail is working, RANCID won't be able to email you changes that it documents, but it won't stop everything else working. Install RANCID RANCID is in the Ubuntu repository, so it can be installed with Aptitude: sudo apt-get install rancid Configure RANCID Groups The installation creates a new user and group named "rancid" with a home directory of /var/lib/rancid. You must create at one least one group in RANCID to logically organize your devices. You can base the group names on any criteria you wish; geographic location, client, function etc. I used location. Edit the RANCID config file: vim /etc/rancid/rancid.conf It's a blank file by default. Add a line of config with your chosen groups: LIST_OF_GROUPS="Nottingham Derby Leicester" Configure email notifications RANCID needs to know who to notify about changes to devices in each group. This is done by creating email aliases in the MTA config. As we already know, this is Sendmail on Ubuntu, and the config file in question is /etc/aliases: vim /etc/aliases You need to add 2 aliases for each group that you created in the codevious step; "rancid- rancid-Nottingham: [your-email@address.com] Lastly, you'll need to let Sendmail know about the new aliases: sudo /usr/sbin/newaliases Create the CVS Repository By default, RANCID used Concurrent Versions System (CVS) file format (MS Excel compliance format) to store your device configs. This give you the ability to track changes over time, and compare versions to one another. RANCID can also use Subversion (SVN), but I didn't see any reason not to go with CVS. RANCID will create the CVS repository and folder structure for you, based on the groups that you defined earlier. This command needs to be run as the 'rancid' user that was created automatically when you installed RANCID: sudo su -c /var/lib/rancid/bin/rancid-cvs -s /bin/bash -l rancid If that works without error, you should be able to see a bunch of new folders under the /var/lib/rancid folder, and within them, the router.bd config files that will contain details of the devices that you want to query: [you@yourserver~]$ sudo find /var/lib/rancid -type f -name router.db Add the devices The router.db files let RANCID know whaich devices exist in each group. Each device occupies a single line in the config file, and is in the format fw-not:fortinet:up Configure cloginrc RANCID uses cloginrc to connect to, and authenticate against the devices that you have configured in the router.db files. To do this, it needs details of how to connect to the device SSH, Telnet etc, and the credentials to be passed through to each device. These details are in /var/lib/rancid/.cloginrc by default. I'm only going to cover connecting via SSH to devices that authenticate locally here since Telnet isn't secure enough for this sort of thing really, and remote authentication via LDAP of the like can get complicated. For full details of all the protocols that cloginrc can use to connect to your remote devices, see the Man pages for cloginrc. Assuming the device authenticates locally, and we're connecting via SSH, I might enter the following in /var/lib/rancid/.cloginrc: Add a set of config like the above, for each device. Obviously, you'll need to make sure that the user you define exists on the remote device, and that you can log into that device, with that user, from your RANCID server. Testing cloginrc Once you've added the cloginrc config for all your configured devices, you can begin testing. firstly, we need to see if cloginrc can connect to each device, with the credentials you've provided for it: /usr/lib/rancid/bin/clogin -f /var/lib/rancid/.cloginrc ro-not Assuming that all is working, you should find yourself in Router Exec mode on you device or the equivalent if it's not a Cisco router. When you're not so lucky, cloginrc should give you some helpful error messages to point you in the right direction. Testing RANCID With cloginrc working, we can now give RANCID a test: sudo su -c /var/lib/rancid/bin/rancid-run -s /bin/bash -l rancid Depending on the number of devices you've configured, this might take a while to run be patient! If you're having trouble with it, or if you're testing an automation script see below it's worth temporarily setting all but one of your devices to 'down' in the router.db files to speed this process up. Once it's finished, check /var/log/rancid for details. You should also receive some emails with details of the new devices and their configs, assuming you got Sendmail working of course. Viewing your backups Once you've got your configs into CVS, you're going to want to look at them. Of course you can open the most recent version with Vim on the RANCID server, but if you want to see older versions, you'll need a client of some sort to access the repository. ViewVC is a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to codesent navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions. See the ViewVC website for more details. Installing ViewVC ViewVC can be installed from the Ubuntu repository with Aptitude: apt-get install viewvc Configuring Apache Apache is installed automatically as a dependency of ViewVC, but it is not configured out of the box. By default, ViewVC is installed in /usr/lib/viewvc/ and the main executable is in /usr/lib/cgi-bin/. In order to make Apache recognize ViewVC, you must add the following line to /etc/apache2/httpd.conf: ScriptAlias /viewvc/ /usr/lib/cgi-bin/ Configuring ViewVC ViewVC needs to know where your CVS repository is located, in order to view it. The location needs to be entered into /etc/viewvc/viewvc.conf under the [general] section of the config. You can either specify individual repositories or, as I did, specify a root parent location under which multiple repositories can be located, in case you have cause to add more in future: root_parents = /var/lib/rancid/CVS : cvs Restart Apache service apache2 restart Once Apache has restarted, you should be able to browse to »[serverip]/viewvc/viewvc.cgi to see the contents of your RANCID repository. Basic Automation The most straightforward way to automate backups is to schedule RANCID to run periodically via cron. This will scan all the configured devices, and email you if there have been any changes. As RANCID needs to be run by the rancid user, we have to put the job in the crontab for that user: sudo su -c "/usr/bin/crontab -e -u rancid" Add the job, scheduling to meet your needs. the following would run RANCID every monday at 09:00: # m h dom mon dow command 00 09 * * Mon /usr/bin/rancid-run Advanced Automation The cron job was a little lacking for our implementation. We wanted a way to annotate the changes that were made to devices, and enter them into the repository immediately as they are made. I decided to write a wrapper script for RANCID that would do the following: * Determine if the device a user was trying to edit was configured in RANCID * Open a connection to that device, allowing the user to view and edit the config * Perform a RANCID backup when the user logs out of the device * Determine if the config for the device in question has been changed, and exit if it hasn't * Prompt the user to record their changes in a changelog file if the config has been changed * Insert a blank log entry at the top of the devices changelog, and populate with the device name, config version, user, and date/time. * Open the changelog so the user can add a description of the changes that they made * When the user saves the changelog, commit it to the CVS repo, next to the device config The script I have written, is codetty basic, but it does the job. The script utilizes some of the things you've already done to get to this point, and a bit of other basic bash scripting: The changelog template referred to in the above script looks like this: Device: DEVICE That's it. We are now using this system to edit configs, and record the changes at the same time, and its working codetty well so far. Thanks for reading. These instructions have been gathered from numerous sources on the internet, and compiled into this guide. Most of the instructions above (except the script) are not my own. I've merely compiled and distilled several sets of instructions into a guide to achieve a particular goal. Trackbacks below. If you feel that you deserve credit, and have not been mentioned below, please let me know and I'll be happy to include you. RANCID - Really Awesome New Cisco confIg Differ RANCID - Ubuntu Documentation Installing RANCID on Ubuntu 10.04 LTS Linux.com - Browse all your source code revisions with ViewVC got feedback? by aryoba |