Connect to your PC using ssh, and become root:
$ sudo -s #
Now install the Subversion Version Control System:
In addition to Subversion we will specify to install telnet and the mutt email client. Both these package may already be installed from prior exercises. If so, don't worry - the apt-get command will not reinstall them.
# apt-get install subversion telnet mutt
Install rancid itself:
# apt-get install rancid
<OK>
and press ENTER to continue.<YES>
and press ENTER to continue.
Add an alias for the rancid user in /etc/aliases
file
RANCID by default sends emails to the users rancid-groupname and rancid-admin-groupname. We want them to be sent to the sysadm user instead and use the alias function for this.
# editor /etc/aliases
Add the following entries.
rancid-routers: sysadm rancid-admin-routers: sysadm
Save the file, then run:
# newaliases
Edit /etc/rancid/rancid.conf
# editor /etc/rancid/rancid.conf
Find these lines in rancid.conf:
# list of rancid groups #LIST_OF_GROUPS="sl joebobisp"; export LIST_OF_GROUPS
And, underneath them add the following line:
LIST_OF_GROUPS="routers"
(with no '#' at the front of line, and aligned to the left)
Find the line with CVSROOT:
CVSROOT=$BASEDIR/CVS; export CVSROOT
And, change it to:
CVSROOT=$BASEDIR/svn; export CVSROOT
Note the lowercase “svn”.
We want to use Subversion for our Version Control System, and not CVS, so find the line with the parameter RCSSYS:
RCSSYS=cvs; export RCSSYS
And, change it to:
RCSSYS=svn; export RCSSYS
Now exit and save the file.
Pay very close attention to what userid you are using during the rest of these exercises. If you are not sure simply type “id” on the command line at any time.
From a root prompt (“#”), switch identity to become the 'rancid' user:
# su -s /bin/bash rancid
Check that you ARE the rancid user:
$ id
You should see something similar (numbers may be different):
uid=104(rancid) gid=109(rancid) groups=109(rancid)
IF YOU ARE NOT USER RANCID NOW, do NOT continue
$ editor /var/lib/rancid/.cloginrc
Add the following two lines to the file:
add user *.ws.nsrc.org cisco add password *.ws.nsrc.org nsrc+ws nsrc+ws
(The first 'cisco' is the username, the first and second 'nsrc+ws' are the password and enable password used to login to your router. The star in the name means that it will try to use this username and password for all routers whose names end .ws.nsrc.org)
Exit and save the file.
Now protect this file so that it cannot be read by other users:
$ chmod 600 /var/lib/rancid/.cloginrc
Login to your router with clogin. You might have to type yes to the first warning, but should not need to enter a password, this should be automatic.
$ /var/lib/rancid/bin/clogin rtrX.ws.nsrc.org
(replace X with your group number. So, group 1 is rtr1.ws.nsrc.org)
You should get something like:
spawn ssh -c 3des -x -l cisco rtrX.ws.nsrc.org The authenticity of host 'rtrX.ws.nsrc.org (10.10.X.254)' can't be established. RSA key fingerprint is 73:f3:f0:e8:78:ab:49:1c:d9:5d:49:01:a4:e1:2a:83. Are you sure you want to continue connecting (yes/no)? Host rtrX.ws.nsrc.org added to the list of known hosts. yes Warning: Permanently added 'rtrX.ws.nsrc.org' (RSA) to the list of known hosts. Password: rtrX>enable Password: rtrX#
Exit the from the router login:
rtrX#exit
Make sure you are the rancid user before doing this:
$ id
If you do not see something like
uid=104(rancid) gid=109(rancid) groups=109(rancid)
then DO NOT CONTINUE until you have become the rancid user. See earlier section for details.
Now initialize the Version Control repository (it will use Subversion):
$ /usr/lib/rancid/bin/rancid-cvs
You should see something similar to this:
Committed revision 1. Checked out revision 1. At revision 1. A configs Adding configs Committed revision 2. A router.db Adding router.db Transmitting file data . Committed revision 3.
**Do the following ONLY if you have problems**
If this does not work, then either you are missing the subversion package, orsomething was not properly configured during the previous steps. You should verifythat subversion is installed and then before running the rancid-cvs command againdo the following:
$ exit # apt-get install subversion # su -s /bin/bash rancid $ cd /var/lib/rancid $ rm -rf routers $ rm -rf svn
Now try running the rancid-cvs command again:
> $ /usr/lib/rancid/bin/rancid-cvs
—————————————————————————
$ editor /var/lib/rancid/routers/router.db
Add this line (NO spaces at the beginning please):
rtrX.ws.nsrc.org:cisco:up
(remember to replace X as appropriate)
Exit and save the file.
Still as the rancid user:
$ /usr/lib/rancid/bin/rancid-run
This may take some time so be patient.
Run it again, since the first time it might not commit correctly:
$ /usr/lib/rancid/bin/rancid-run
$ cd /var/lib/rancid/logs $ ls -l
… View the contents of the file(s):
$ less routers.*
NOTE! Using “less” - to see the next file press “:n”. To see the Previous file press “:p”. To exit from less press “q”.
$ cd /var/lib/rancid/routers/configs $ less rtrX.ws.nsrc.org
Where you should replace “X” with your group number.
If all went well, you can see the config of the router.
Let's change an interface Description on the router
$ /usr/lib/rancid/bin/clogin rtrX.ws.nsrc.org
Where you should replace “X” with your group number.
At the “rtrX#” prompt, enter the command:
rtrX# conf term
You should see:
Enter configuration commands, one per line. End with CNTL/Z. rtrX(config)#
Enter:
rtrX(config)# interface LoopbackXX (replace XX with your PC no)
You should get this prompt:
rtrX(config-if)#
Enter:
rtrX(config-if)# description <put your name here> rtrX(config-if)# end
You should now have this prompt:
rtrX#
To save the config to memory:
rtrX# write memory
You should see:
Building configuration... [OK]
To exit type:
rtrX# exit
Now you should be back at your rancid user prompt on your system:
$ /usr/lib/rancid/bin/rancid-run
Look at the rancid logs
$ ls /var/lib/rancid/logs/
You should see the latest rancid execution as a new log file with the date and time in the name.
$ cd /var/lib/rancid/routers/configs $ ls -l
You should see the router config file for your group:
$ svn log rtrX.ws.nsrc.org
(where X is the number of your router)
Notice the revisions. You should see different revision numbers such as r5 and r7. Choose the lowest and the highest one.
Let's view the difference between two versions:
$ svn diff -r5:7 rtrX.ws.nsrc.org | less $ svn diff -r6:7 rtrX.ws.nsrc.org | less
… can you find your changes?
Notice that svn is the Subversion Version Control system command line tool for viewing Subversion repositories of information. If you type:
$ cd /var/lib/rancid/routers $ ls -lah
You will see a hidden directory called .svn
- this actually contains all the
information about the changes between router configurations from each time you
run rancid using /usr/lib/rancid/bin/rancid-run.
Whatever you do, don't edit or touch the .svn
directory by hand!
Now we will exit from the rancid user shell and the root user shell to go back to being the “sysadm” user. Then we'll use the “mutt” email client to see if rancid has been sending emails to the sysadm user.
$ exit (takes your from rancid to root user) # exit (take you from root to sysadm user) $ id ... check that you are now the 'sysadm' user again; ... if not, log out and in again as sysadm to your virtual host $ mutt
(When asked to create the Mail directory, say Yes)
If everything goes as planned, you should be able to read the mails sent by Rancid. You can select an email sent by “rancid@pcX.ws.nsrc.org” and see what it looks like.
Notice that it is your router description and any differences from the last time it was obtained using the rancid-run command.
Now exit from mutt.
(use 'q' return to mail index, and 'q' again to quit mutt)
Let's make rancid run automatically every 30 minutes from using cron
cron is a system available in Linux to automate the running of jobs. First we need to become the root user again:
$ sudo -s #
Now create or edit the file /etc/cron.d/rancid:
# editor /etc/cron.d/rancid
and add the following line to the bottom:
*/30 * * * * rancid /usr/lib/rancid/bin/rancid-run
If this file already exists then add this line and leave the rest commented out.
That's it. The command “rancid-run” will execute automatically from now on every 30 minutes all the time (every day, week and month).
Now add all the other routers. Note the hostnames:
If you have fewer routers in your class, then only include the actual, available routers.
Become the rancid user and update the router.db file:
# su -s /bin/bash rancid $ editor /var/lib/rancid/routers/router.db
Add the other classroom routers to the file. You should end up with something like (COPY and PASTE):
rtr1.ws.nsrc.org:cisco:up rtr2.ws.nsrc.org:cisco:up rtr3.ws.nsrc.org:cisco:up rtr4.ws.nsrc.org:cisco:up rtr5.ws.nsrc.org:cisco:up rtr6.ws.nsrc.org:cisco:up rtr7.ws.nsrc.org:cisco:up rtr8.ws.nsrc.org:cisco:up rtr9.ws.nsrc.org:cisco:up
(Note that “cisco” means this is Cisco equipment – it tells Rancid that we are expecting to talk to a Cisco device here. You can also talk to Juniper, HP, …).
Be sure the entries are aligned to the left of the file.
Run rancid again (still as the 'rancid' user)
$ /usr/lib/rancid/bin/rancid-run
This should take a minute or more now, be patient.
Check out the logs:
$ cd /var/lib/rancid/logs $ ls -l
… Pick the latest file and view it
$ less routers.YYYYMMDD.HHMMSS
This should be the last file listed in the output from “ls -l”
You should notice a bunch of statements indicating that routers have been added to the Subversion version control repository, and much more.
$ cd /var/lib/rancid/routers/configs $ less *.ws.nsrc.org
Press the SPACE bar to scroll through each file and then press “:n” to view the next file. Press “q” to quit at any time.
If all went well, you can see the configs of ALL routers
Run RANCID again just in case someone changed some configuration on the router
$ /usr/lib/rancid/bin/rancid-run
This could take a few moments, so be patient….
$ /usr/lib/rancid/bin/clogin -c "show clock" rtrX.ws.nsrc.org
Where “X” is the number of your group.
What do you notice ?
Even better, we can show the power of using a simple script to make changes to multiple devices quickly:
$ editor /tmp/newuser
… in this file, add the following commands (COPY and PASTE):
configure terminal username NewUser secret 0 NewPassword end write
Save the file, exit, and run the following commands from the command line:
$ for r in 1 2 3 4 Your prompt will now change to be ">". Continue by typing: > do > /var/lib/rancid/bin/clogin -x /tmp/newuser rtr$r.ws.nsrc.org > done
Now your prompt will go back to “$” and rancid clogin command will run and execute the commands you just typed above on routers rtr1, rtr2, rtr3 and rtr4. This is simple shell scripting in Linux, but it's very powerful.
Q. How would you verify that this has executed correctly ? Hint: “show run | inc”
A. Connect to rtr1, rtr2, rtr3 and rtr4. Type “enable” and then type
"show run | inc username" to verify that the NewUser username now exists. Type exit to leave each router. Naturally you could automate this like we just did above.
Now we will add the RANCID SVN (Subversion) repository in to WebSVN so that you can browse configurations via the web.
If you are still logged in as user rancid, get back to root. Remember you can type “id” to check what userid you are.
$ exit #
Install WebSVN:
# apt-get install websvn
During the installation, follow the following instructions.
<Yes>
to the question if you want to configure WebSVN now and press ENTER<Ok>
for the next question about supporting various web servers and press
ENTER/var/lib/rancid/svn
Select <Ok>
and press ENTER. Do the same when asked about “svn repositories” on
the next screen. That is, use the path:
/var/lib/rancid/svn
and not what is shown by default. Select <Ok>
and press ENTER.
Select <Ok>
for the next screen talking about permissions and press ENTER.
Note: if you are installing under Ubuntu 14.04, you may get an error about the `conf.d` directory not being present. If so, workaround the problem like this (including creating a dummy conf.d directory):
# ln -s /etc/websvn/apache.conf /etc/apache2/conf-available/websvn.conf # mkdir /etc/apache2/conf.d # a2enconf websvn.conf # service apache2 reload
Now fix permissions. The web server must be able to read the SVN (Subversion) folder
# chgrp -R www-data /var/lib/rancid/svn # chmod g+w -R /var/lib/rancid/svn
Browse the rancid files from your Web browser!
Browse the files under the 'routers/configs' directory. You can see all your router configuration files here.
You would not want the entire Internet to be able to browse your configuration files. Here are some steps you can take to secure WebSVN access. One step not included is to enforce the use of https (ssl) access. We recommend this for all your web sites wherever possible.
First, Update the Apache2 configuration code for websvn::
Now fix permissions. The web server must be able to read the SVN (Subversion) folder
# cd /etc/apache2/conf.d/ # vi websvn
Find this section of code in the file:
## End MultiViews Order allow,deny Allow from all
and change it to read:
AllowOverride All ## End MultiViews Order allow,deny Allow from 10.10.0.0/16
Now save and exit from the file. Next we need to create a .htaccess file in the /usr/share/websvn directory:
# cd /usr/share/websvn # editor .htaccess
In this file add the following lines:
AuthUserFile /usr/local/websvn/.htpasswd AuthName "Autharoized Users Only Past This Point!" AuthType Basic Require valid-user
Save and exit from the file. Now we need to create the .htpasswd file to be used by htaccess:
# mkdir /usr/local/websvn # cd /usr/local/websvn # htpasswd -c .htpasswd sysadm
Provide a password for the user sysadm (maybe the class password?). You should see this:
New password: Re-type new password: Adding password for user sysadm
And, now we restart the Apache web server for the changes to take affect:
# service apache2 restart
Try browsing to the WebSVN pages at http://pcN.ws.nsrc.org/websvn/ and you should be asked for a username and password to be able to view the pages.
WebSVN lets you see easily the changes between versions.
This will show you the differences between two separate router configurations.
WebSVN is a convenient way to quickly see differences via a GUI between mulitple configuration files. Note, this is a potential security hole so you should limit access to the URL http://host/websvn using passwords (and SSL) or appropriate access control lists.
)
In a production environment, we'd probably want to add a
“rancid” user on the devices, without config privileges, but able to
retrieve do a show running-config
.
One way to do this, add a user in config mode:
rtrX# conf term Enter configuration commands, one per line. End with CNTL/Z. rtrX(config)# username rancid privilege 4 secret password rtrX(config)# privilege exec level 4 show running-config view full
This creates a rancid
user with privilege level 4.
On the next line, we allow that user to execute show running-config
You also need to add the username and password to your .cloginrc
add user *.ws.nsrc.org rancid add password *.ws.nsrc.org password add autoenable *.ws.nsrc.org 1
The autoenable
means the user will be in the right privilege level
immediately after login and no enable is needed to run show running-config
Note: try and look at the clogin
manpage to find out how you can
specify another user (for example: cisco) when using clogin interactively,
to make changes with -c or -x (as shown above).
See more at http://www.toms-blog.com/backup-cisco-config-with-rancid-and-an-un-priviledged-user/
Note: it is also allowed to use IP addresses, and one could also write:
add user 10.10.* cisco add password 10.10.* nsrc+ws nsrc+ws add user rtr*.ws.nsrc.org cisco add password rtr*.ws.nsrc.org nsrc+ws nsrc+ws