Really Awesome New ConfIg Differ (RANCID).
rancid
Really Awesome New ConfIg Differ (RANCID) provides an easy way to archive and perform versioning of configuration files from network devices.
Third party packages required:
These are not covered in this installation guide
- cvs: Concurrent Versions System used for revision control
- postfix: Postfix is necessary for mailing more about postifix > https://websiteforstudents.com/install-postfix-mta-on-ubuntu-16-04-17-10-18-04/
Installation on Debian
baggy@plasma:~$
sudo apt-get install cvs -y
sudo apt-get install postfix -y
sudo apt-get install rancid -y
You will be presented with an informational text which says it is an early release of the package. It is however functional. The install will create a rancid user without a password. You will have to create a password for this user
baggy@plasma:~$
sudo passwd rancid
Rancid Groups
After installing RANCID you have to configure the list of groups you will use.
A group is a collection of network devices. When a change is made to a device an email will be sent notifying the group admins.
Another way to use groups aside from separating the change notifications is that RANCID will store all device configurations from a group in a separate directory.
The groups are setup in the /etc/rancid/rancid.conf file
In this example we'll setup the groups "core" and "access" by editing the /etc/rancid/rancid.conf file:
Add the groups groups
baggy@plasma:~$ sudo nano /etc/rancid/rancid.conf
Find the term LIST_OF_GROUPS add the groups separated by space then exit and save
LIST_OF_GROUPS="core access"; export LIST_OF_GROUPS
Verify the added groups
baggy@plasma:~$ cat /etc/rancid/rancid.conf | egrep -i "list.*group"
# LIST_OF_GROUPS (below). In addition to these, there will be a "CVS"
# list of rancid groups
LIST_OF_GROUPS="core access"; export LIST_OF_GROUPS
#LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp"; export LIST_OF_GROUPS
Mail setup
Configure the rancid user to be able to send mail via postfix this procedure will not be covered here.
Once that is done you have to proceed setting up mail aliases.
RANCID sends emails to the aliases rancid-[groupname] and rancid-admin-[groupname].
For our groups core and access edit the /etc/aliases file as:
baggy@plasma:~$ sudo nano /etc/aliases
Add below lines:
rancid-core: baggy@me.com
rancid-admin-core: baggy@me.com
rancid-access: baggy@me.com
rancid-admin-access: baggy@me.com
You can replace baggy@me.com with your admin email for each group
CVS Setup
By default RANCID uses CVS to keep track of changes to your devices.
To prepare the CVS database you have to run the command rancid-cvs as the rancid user.
This needs to be done each time you add a new group to the /etc/rancid/rancid.conf
baggy@plasma:~$ sudo -i -u rancid /var/lib/rancid/bin/rancid-cvs
This will create a directory for each group in /var/lib/rancid
Therefore the core group will be located in the directory /var/lib/rancid/core
The access group will be located in the directory /var/lib/rancid/access directory
Adding Hosts
The router.db file is specific for each group and located in the group directory.
Note even if the devices are not routers they will be added in the router.db for that group.
Add devices to the group by editing the /var/lib/rancid/core/router.db and /var/lib/rancid/access/router.db
rancid@plasma:~$ nano /var/lib/rancid/core/router.dbadd your devices in the below format then save and exit
hostname1:cisco:up
192.168.56.36:juniper:up
If you use hostname, the hostnames however must be defined in the etc/hosts file.
To add a host name, hostname1, with an IP address 192.168.56.57 for example, edit the /etc/hosts and add
rancid@plasma:~$ cat /etc/hosts
192.168.56.57 hostname1
Device Access
Credential to access the devices is stored in the .cloginrc file
You have to create it manually in the rancid users home directory /var/lib/rancid
rancid@plasma:~$ cd /var/lib/rancidadd below lines then save and exit
nano .cloginrc
add autoenable * 1
add method * ssh
add user * rancid
add password * rancidpassword
This will tell RANCID to login to all devices (*) with SSH.
To login with the username rancid and password rancid password to all devices.
The autoenable line tells RANCID that the devices are configured to place the rancid user in enabled mode directly after login.
You must also change the permission to the file in order to lock it down to avoid unauthorised accessto the .clogin file
rancid@plasma:~$
chmod 600 .cloginrc
Change the permission and ownership of rancid directories
rancid@plasma:~$ chown –R rancid:rancid /var/lib/rancid chown -R rancid:rancid /var/log/rancid
Testing
Once the authentication has been setup you can try to login to one of the devices using the rancid user.
rancid user has to be created in the respective routers and switches.
Loging into cisco devices is done by the clogin command located in /var/lib/rancid/bin
Also in that directory you will notice other *login files
For example clogin is for Cisco hlogin is for HP devices and flogin is for Foundry and jlogin is for juniper devices
To test juniper login
baggy@plasma:~$ jlogin 192.168.56.57
To test cisco login
baggy@plasma:~$ clogin 192.168.56.36
Scheduling running of rancid
In order for RANCID to keep track of changes you have to schedule a cronjob with will run as the rancid user.
rancid@plasma:~$ crontab -eAdd the line then save and exit
0 * * * * * /usr/bin/rancid-run
This will schedule a run each hour and notify the members of the respective group each time any of the devices change.
You can of course set it to run how often you like depending on your needs.
Viewing change history
Once you have executed rancid-run or it has been run by cron
Your device configurations will be stored in the configs directory for each group
Each time RANCID detects a change it will create a new revision and store what changed since the last run.
rancid@bigpaul:~/core/configs$ cvs log 192.168.56.57
RCS file: /var/lib/rancid/CVS/core/configs/192.168.56.57,v
Working file: 192.168.56.57
head: 1.3
branch:
locks: strict
access list:
symbolic names:
keyword substitution: o
total revisions: 3; selected revisions: 3
description:
----------------------------
revision 1.3
date: 2019-01-05 20:15:36 +0300; author: rancid; state: Exp; lines: +24 -21; commitid: 1005C30E638133783F5;
updates
----------------------------
revision 1.2
date: 2019-01-05 20:13:10 +0300; author: rancid; state: Exp; lines: +404 -0; commitid: 1005C30E5A612E4A185;
updates
----------------------------
revision 1.1
date: 2019-01-05 20:13:07 +0300; author: rancid; state: Exp; commitid: 1005C30E5A312C45EEE;
new router
=============================================================================
Examining the output you can see that there are three revisions of 192.168.56.57 so farrevision 1.1 when the file was createdrevision 1.2 when rancid-run collected the configuration for the first time and adding 404 linesrevision 1.3 added 24 lines and removed 21
You can then use cvs dif to see what changed between revisions.
rancid@bigpaul:~/core/configs$ cvs dif -r 1.2 -r 1.3 192.168.56.57
Index: 192.168.56.57
===================================================================
RCS file: /var/lib/rancid/CVS/core/configs/192.168.56.57,v
retrieving revision 1.2
retrieving revision 1.3
diff -r1.2 -r1.3
3,16c3,16
< # rancid> show chassis clocks
< # rancid> show chassis environment
< # rancid> show chassis firmware
< # rancid> show chassis fpc detail
< # rancid> show chassis hardware detail
< # rancid> show chassis hardware models
< # rancid> show chassis routing-engine
< # rancid> show chassis scb
< # rancid> show chassis sfm detail
< # rancid> show chassis ssb
< # rancid> show chassis feb detail
< # rancid> show chassis feb
< # rancid> show chassis cfeb
< # rancid> show chassis alarms
---
> # virt> show chassis clocks
> # virt> show chassis environment
> # virt> show chassis firmware
> # virt> show chassis fpc detail
> # virt> show chassis hardware detail
> # virt> show chassis hardware models
> # virt> show chassis routing-engine
> # virt> show chassis scb
> # virt> show chassis sfm detail
> # virt> show chassis ssb
> # virt> show chassis feb detail
> # virt> show chassis feb
> # virt> show chassis cfeb
> # virt> show chassis alarms
19,20c19,20
< # rancid> show system license
< # rancid> show system boot-messages
---
> # virt> show system license
> # virt> show system boot-messages
90c90
< # rancid> show system core-dumps
---
> # virt> show system core-dumps
92c92,93
< # rancid> show version detail
---
> # virt> show version detail
> # Hostname: virt
220c221,222
< # rancid> show version invoke-on other-routing-engine
---
> # virt> show version invoke-on other-routing-engine
> # Hostname: virt
248,249c250,251
< # rancid> show configuration
< ## Last commit: 2019-01-05 10:14:49 UTC by root
---
> # virt> show configuration
> ## Last commit: 2019-01-05 20:15:46 UTC by root
251a254
> host-name virt;
Looking at the above output shows us more information.
First we see changes in the filesystem on the switch as the size of the configuration file grows, or shrinks, as we change the configuration.
Then at the bottom we see what was actually changed. In this case the line “host-name virt” was added since the last rancid-run.
It’s possible to exclude part of the output from RANCID if you aren’t interested to changes made to the filesystem.
Gathering specific information
You can also use the login program to for more specific tasks.
You can tell RANCID to login to a specific device and run one command using the -c option
baggy@plasma:~$
jlogin -c "show system users" 192.168.56.57
The above command would login to the 192.168.56.57 router and execute the show system users command and then logout of the router.
This in itself might not save you that much time, but perhaps you want to run a command several times over a period of time.
Then you can schedule a command like this to collect information or you can run the command against all your routers.
Another parameter you can use with the login command is -x
It works like -c but instead of typing in the commands you want to execute you store them in a separate file.
baggy@plasma:~$
clogin -x commands.txt 192.168.57.56
The above command would login to the IP 192.168.56.57 and execute all the commands you have entered in the commands.txt file.
baggy@plasma:~$
clogin -x commands.txt `cat switches.txt`
The above command would login to the each IP from the file switches.txt and execute all the commands you have entered in the commands.txt file.
Commands in the commands.txt file should be separted by a newline character so as device in the switches.txt