Agenda: rancid-exercise.txt

File rancid-exercise.txt, 16.1 KB (added by b.candler, 6 years ago)
Line 
1Network Management & Monitoring
2
3Using RANCID
4============
5
6Notes:
7------
8* Commands preceded with "$" imply that you should execute the command as
9  a general user - not as root.
10* Commands preceded with "#" imply that you should be working as root.
11* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
12  imply that you are executing commands on remote equipment, or within
13  another program.
14
15Exercises
16---------
17
181. Connect to your PC using ssh
19
202. Become root, and install the Subversion Version Control System:
21
22        In addition to Subversion we will specify to install telnet and the mutt
23        email client. Both these package may already be installed from prior
24        exercises. If so, don't worry - the apt-get command will not reinstall
25        them.
26
27        $ sudo bash
28        # apt-get install subversion telnet mutt
29
303. Install Rancid itself
31
32        # apt-get install rancid
33
34        - It will prompt with a warning - Select <OK> and press ENTER to continue.
35        - It will give you another warning about making a backup copy of your
36          rancid data. We have no data, so select <YES> and press ENTER to continue.
37         
384. Add an alias for the rancid user in /etc/aliases file
39
40        # editor /etc/aliases
41       
42        rancid-all:     sysadm
43        rancid-admin-all:   sysadm
44
45    Save the file, then run:
46
47        # newaliases
48
495. Edit /etc/rancid/rancid.conf
50
51        # editor /etc/rancid/rancid.conf
52
53Find this line in rancid.conf:
54
55        #LIST_OF_GROUPS="sl joebobisp"
56
57And, underneath it add the following line:
58
59        LIST_OF_GROUPS="all"
60
61(with no '#' at the front of line, and aligned to the left)
62
63We want to use Subversion for our Version Control System, and not CVS, so find the
64line with the parameter RCSSYS:
65
66                RCSSYS=cvs; export RCSSYS
67
68And, change it to:
69
70        RCSSYS=svn; export RCSSYS
71
72and the line with CVSROOT:
73
74                CVSROOT=$BASEDIR/CVS; export CVSROOT
75               
76And, change it to:
77
78        CVSROOT=$BASEDIR/svn; export CVSROOT
79
80Note the lowercase "svn". Now exit and save the file.
81
82
836. Change to the rancid user
84
85###################################################################
86#
87# CRITICAL! CRITICAL! CRITICAL!
88#
89###################################################################
90
91Pay very close attention to what userid you are using during the rest of these exercises.
92If you are not sure simply type "id" on the command line at any time.
93
94    From a root prompt ("#"), switch identity to become the 'rancid' user:
95       
96        # su -s /bin/bash rancid
97       
98    Check that you ARE the rancid user:
99
100        $ id
101
102    You should see something similar (numbers may be different):
103
104        uid=104(rancid) gid=109(rancid) groups=109(rancid)
105
106###################################################################
107
108    ***** IF YOU ARE NOT USER RANCID NOW, do NOT continue ******
109
110###################################################################
111
1127. Create /var/lib/rancid/.cloginrc
113
114        $ editor /var/lib/rancid/.cloginrc
115       
116    Add the following two lines to the file:
117
118        add user *.ws.nsrc.org cisco
119        add password *.ws.nsrc.org nsrc+ws nsrc+ws
120
121    (The first 'cisco' is the username, the first and second 'nsrc+ws' are the
122    password and enable password used to login to your router. The star in the name
123    means that it will try to use this username and password for all routers
124    whose names end .ws.nsrc.org)
125
126        (Note: it is also allowed to use IP addresses, and one could also write:
127           add user 10.10.* cisco
128           add password 10.10.* nsrc+ws nsrc+ws)
129   
130    Exit and save the file.
131
132    Now protect this file so that it cannot be read by other users:
133
134        $ chmod 600 /var/lib/rancid/.cloginrc
135   
136
1378. Test login to the router of your group
138   
139    Login to your router with clogin. You might have to type yes to the first warning, but
140    should not need to enter a password, this should be automatic.
141
142       $ /var/lib/rancid/bin/clogin rtrX.ws.nsrc.org
143       
144       (replace X with your group number. So, group 1 is rtr1.ws.nsrc.org)
145   
146    You should get something like:
147   
148       spawn ssh -c 3des -x -l cisco rtrX.ws.nsrc.org
149       The authenticity of host 'rtrX.ws.nsrc.org (10.10.X.254)' can't be established.
150       RSA key fingerprint is 73:f3:f0:e8:78:ab:49:1c:d9:5d:49:01:a4:e1:2a:83.
151       Are you sure you want to continue connecting (yes/no)?
152       Host rtrX.ws.nsrc.org added to the list of known hosts.
153       yes
154       Warning: Permanently added 'rtrX.ws.nsrc.org' (RSA) to the list of known hosts.
155       Password:
156
157       rtrX>enable
158       Password:
159       rtrX#
160       
161    Exit the from the router login:
162   
163       rtrX#exit
164       
165       
1669. Initialize the SVN repository for rancid:
167
168        Make sure you are the rancid user before doing this:
169       
170                $ id
171               
172        If you do not see something like "uid=108(rancid) gid=113(rancid) groups=113(rancid)"
173        then DO NOT CONTINUE until you have become the rancid user. See exercise 6 for
174        details.
175
176        Now initialize the Version Control repository (it will use Subversion):
177
178        $ /usr/lib/rancid/bin/rancid-cvs
179
180    You should see something similar to this:
181
182        Committed revision 1.
183        Checked out revision 1.
184        At revision 1.
185        A         configs
186        Adding         configs
187
188        Committed revision 2.
189        A         router.db
190        Adding         router.db
191        Transmitting file data .
192        Committed revision 3.
193
194******** Do this ONLY if you have problems *******
195
196     If this does not work, then either you are missing the subversion package, or
197     something was not properly configured during the previous steps. You should verify
198     that subversion is installed and then before running the rancid-cvs command again
199     do the following:
200
201                $ exit
202                # apt-get install subversion
203                # su -s /bin/bash rancid
204                $ cd /var/lib/rancid
205                $ rm -rf all
206                $ rm -rf svn
207
208      Now try running the rancid-cvs command again:
209
210                $ /usr/lib/rancid/bin/rancid-cvs
211
212*****************************************************
213
21410. Create the router.db file
215
216        $ editor /var/lib/rancid/all/router.db
217
218    Add this line:
219
220        rtrX.ws.nsrc.org:cisco:up
221
222    (remember to replace X as appropriate)
223   
224    Exit and save the file.
225
22611. Let's run rancid!
227
228        $ /usr/lib/rancid/bin/rancid-run
229
230    This will take a few moments so be patient.
231   
232    Run it again, since the first time it might not commit correctly:
233
234        $ /usr/lib/rancid/bin/rancid-run
235
23612. Check the rancid log files:
237
238        $ cd /var/lib/rancid/logs
239        $ ls -l
240
241    ... View the contents of the file(s):
242
243        $ less all.*
244       
245    NOTE! Using "less" - to see the next file press ":n". To see the Previous
246    file press ":p". To exit from less press "q".
247
24813. Look at the configs
249
250        $ cd /var/lib/rancid/all/configs
251        $ less rtrX.ws.nsrc.org
252       
253    Where you should replace "X" with your group number.
254
255    If all went well, you can see the config of the router.
256
25714. Let's change an interface Description on the router
258
259        $ /usr/lib/rancid/bin/clogin rtrX.ws.nsrc.org
260       
261    Where you should replace "X" with your group number.
262
263    At the "rtrX#" prompt, enter the command:
264
265        rtrX# conf term
266
267    You should see:
268
269        Enter configuration commands, one per line.  End with CNTL/Z.
270        rtrX(config)#
271
272    Enter:
273
274        rtrX(config)# interface LoopbackXX              (replace XX with your PC no)
275       
276    You should get this prompt:
277
278        rtrX(config-if)#
279
280    Enter:
281
282        rtr2(config-if)# description <put your name here>
283        rtr2(config-if)# end
284
285    You should now have this prompt:
286
287        rtrX#
288
289    To save the config to memory:
290
291        rtrX# write memory
292
293    You should see:
294
295        Building configuration...
296        [OK]
297
298    To exit type:
299
300        rtrX# exit
301       
302        Now you should be back at your rancid user prompt on your system:
303       
304
30515. Let's run rancid again:
306
307        $ /usr/lib/rancid/bin/rancid-run
308
309    Look at the ranicd logs
310
311        $ ls /var/lib/rancid/logs/
312       
313    You should see the latest rancid execution as a new log file with the date
314    and time in the name.
315
31616. Let's see the differences
317
318        $ cd /var/lib/rancid/all/configs
319        $ ls -l
320
321    You should see the router config file for your group:
322
323        $ svn log rtrX.ws.nsrc.org
324
325    (where X is the number of your router)
326
327    Notice the revisions.  Let's view the difference between two versions:
328
329        $ svn diff -r 5:7 rtrX.ws.nsrc.org | less
330
331    ... can you find your changes?
332   
333    Notice that svn is the Subversion Version Control system command line
334    tool for viewing Subversion repositories of information. If you type:
335   
336        $ ls -lah
337       
338    You will see a hidden directory called ".svn" - this actually contains all the
339    information about the changes between router configurations from each time you
340    run rancid using /usr/lib/rancid/bin/rancid-run.
341   
342    Whatever you do, don't edit or touch the .svn directory by hand!
343   
344   
34517. Check your mail
346
347        Now we will exit from the rancid user shell and the root user shell to go
348        back to being the "sysadm" user. Then we'll use the "mutt" email client to
349        see if rancid has been sending emails to the sysadm user.
350
351        $ exit                                  (takes your from rancid to root user)
352        # exit                                  (take you from root to sysadm user)
353        $ id
354        ... check that you are now the 'sysadm' user again;
355       
356        ... if not, log out and in again as sysadm to your virtual host
357       
358        $ mutt
359
360    (When asked to create the Mail directory, say Yes)
361
362    If everything goes as planned, you should be able to read the mails
363    sent by Rancid. You can select an email sent by "rancid@pcX.ws.nsrc.org"
364    and see what it looks like.
365   
366    Notice that it is your router description and any differences from the last
367    time it was obtained using the rancid-run command.
368   
369    Now exit from mutt.
370
371    (use 'q' return to mail index, and 'q' again to quit mutt)
372
37318. Let's make rancid run automatically every 30 minutes from using cron
374
375        cron is a system available in Linux to automate the running of jobs. First we
376        need to become the root user again:
377       
378        $ sudo bash
379       
380    Now we will create a new job to run for the rancid user:
381   
382        # crontab -e -u rancid
383
384    It will ask you for your favorite editor. Select whichever editor you have been
385    using in class.
386
387    Add this line at the bottom of the file (COPY and PASTE):
388
389        */30  *  *  *  *  /usr/lib/rancid/bin/rancid-run
390
391    ... then save and quit from the file.
392   
393    That's it. The command "rancid-run" will execute automatically from now on every
394    30 minutes all the time (every day, week and month).
395   
396
39719. Now add all the other routers
398
399    Note the hostnames for the routers
400
401        rtrX.ws.nsrc.org  where X goes from 1 to 9
402       
403    If you have less routers in your class, then only include the actual, available
404    routers.
405
406    Become the rancid user and update the router.db file:
407
408        # su -s /bin/bash rancid
409        $ editor /var/lib/rancid/all/router.db
410
411    Add the other classroom routers to the file. You should end up with
412    something like (COPY and PASTE):
413
414        rtr1.ws.nsrc.org:cisco:up
415        rtr2.ws.nsrc.org:cisco:up
416        rtr3.ws.nsrc.org:cisco:up
417        rtr4.ws.nsrc.org:cisco:up
418        rtr5.ws.nsrc.org:cisco:up
419        rtr6.ws.nsrc.org:cisco:up
420        rtr7.ws.nsrc.org:cisco:up
421        rtr8.ws.nsrc.org:cisco:up
422        rtr9.ws.nsrc.org:cisco:up
423
424    (Note that "cisco" means this is Cisco equipment -- it tells Rancid
425    that we are expecting to talk to a Cisco device here.  You can also
426    talk to Juniper, HP, ...).
427   
428    Be sure the entries are aligned to the left of the file.
429
43020. Run rancid again:
431
432        $ /usr/lib/rancid/bin/rancid-run
433
434    This should take a minute or more now, be patient.
435
43621. Check out the logs:
437
438        $ cd /var/lib/rancid/logs
439        $ ls -l
440
441    ... Pick the latest file and view it
442
443        $ less all.YYYYMMDD.HHMMSS
444       
445    This should be the last file listed in the output from "ls -l"
446   
447    You should notice a bunch of statements indicating that routers have been
448    added to the Subversion version control repository, and much more.
449
45022. Look at the configs
451
452        $ cd /var/lib/rancid/all/configs
453        $ more *.ws.nsrc.org
454
455        Press the SPACE bar to continue through each file. Or, you could do:
456       
457                $ less *.ws.nsrc.org
458               
459        And press the SPACE bar to scroll through each file and then press ":n" to
460        view the next file. Remember, in both cases you can press "q" to quit at
461        any time.
462
463    If all went well, you can see the configs of ALL routers
464
46523.  Run RANCID again just in case someone changed some configuration on the router
466
467        $ /usr/lib/rancid/bin/rancid-run
468     
469     This could take a few moments, so be patient....
470
471
47224. Play with clogin:
473
474        $  /usr/lib/rancid/bin/clogin -c "show clock" rtrX.ws.nsrc.org
475       
476    Where "X" is the number of your group.
477
478    What do you notice ?
479
480    Even better, we can show the power of using a simple script to make changes
481    to multiple devices quickly:
482
483        $ editor /tmp/newuser
484
485    ... in this file, add the following commands (COPY and PASTE):
486
487configure terminal
488username NewUser secret 0 NewPassword
489exit
490write
491
492   Save the file, exit, and run the following commands from the command line:
493
494                $ for r in 1 2 3 4
495               
496                Your prompt will now change to be ">". Continue by typing:
497               
498                > do
499                > /var/lib/rancid/bin/clogin -x /tmp/newuser rtr$r.ws.nsrc.org
500                > done
501               
502        Now your prompt will go back to "$" and rancid clogin command will run and
503        execute the commands you just typed above on routers rtr1, rtr2, rtr3 and
504        rtr4. This is simple shell scripting in Linux, but it's very powerful.
505
506    Q. How would you verify that this has executed correctly ? Hint: "show run | inc"
507   
508    A. Connect to rtr1, rtr2, rtr3 and rtr4. Type "enable" and then type
509       "show run | inc username" to verify that the NewUser username now exists.
510       Type exit to leave each router. Naturally you could automate this like we just
511       did above.
512   
513
51425. Add the RANCID SVN (Subversion) repository in to WebSVN
515
516    If you are still logged in as user rancid, get back to root. Remember you can type
517    "id" to check what userid you are.
518
519        $ exit
520        #
521
522    Install WebSVN:
523
524        # apt-get install websvn
525                * Select <Yes> to the question if you want to configure WebSVN now and press ENTER
526                * Select <Ok> for the next question about supporting various web servers and press
527                  ENTER
528                * When asked for the "svn parent repositories" change the path to be:
529               
530                  /var/lib/rancid/svn
531                 
532                  Select <Ok> and press ENTER. Do the same when asked about "svn repositories" on
533                  the next screen. That is, use the path:
534                 
535                  /var/lib/rancid/svn
536                 
537                  and not what is shown by default. Select <Ok> and press ENTER.
538                * Select <Ok> for the next screen talking about permissions and press ENTER.
539
54026. Fix permissions. The web server must be able to read the SVN (Subversion) folder
541
542        # chgrp -R www-data /var/lib/rancid/svn
543        # chmod g+w -R /var/lib/rancid/svn
544
545 
54627. Browse the rancid files from your Web browser!
547
548        http://pcX.ws.nsrc.org/websvn
549
550    Browse the files under the 'all/configs' directory.
551    You can see all your router configuration files here.
552
553
55428. Review revisions
555   
556    WebSVN lets you see easily the changes between versions.
557
558        * Browse to http://pcX.ws.nsrc.org/websvn again, go to all, configs.
559        * Click on your router file (rtrX.ws.nsrc.org) name. You will get a new screen
560        * Click "Compare with Previous" at the top of the screen.
561        * You should now see the latest changes highlighted.
562       
563    Click on "REPOS 1" to back to the main WebSVN page:
564   
565        * Click on "all/" under "Path"
566        * Click on "configs/"
567        * Select two of the routers that are next to each other. I.E. rtr1 and rtr2, rtr3 and
568          rtr4.
569        * Click on Compare Paths
570       
571    This will show you the differences between two separate router configurations.
572   
573    WebSVN is a convenient way to quickly see differences via a GUI between mulitple
574    configuration files. Note, this is a potential security hole so you should limit
575    access to the URL http://host/websvn using passwords (and SSL) or appropriate
576    access control lists.