RANCID Really Awesome C 0 n F 1
- Slides: 13
RANCID (Really Awesome …) C 0 n. F 1 g. Ur@t 10 N M@n. Gl 3 m 3 n 7
What RANCID does • Adds a layer of accountability • Adds in configuration backup via SCC system (CVS or SVN) • Creates a configuration alerting system • Keeps everyone with access on their toes! • RANCID as an access control mechanism?
Building RANCID • Requires slightly older, non-stock version of expect. • Requires build of tcl and tk to match • Build from source on *nix systems • Easy once you’ve done it once, the first time can be “the suck”. • Install it to it’s own user (or at least, I like to ; ))
Basic Configuration • Thankfully, no major list of CPAN requirements. • Text editor of choice (yes, I use vim). • ~. cloginrc requires privileged access if you’re planning to use it as an access control mechanism. • ~etc/rancid. conf for RANCID, ~etc/lg. conf for looking glass functionality (I don’t use it although some might want to. )
. cloginrc details • Based on hostname or wildcards • Add user <fqdn_or_wildcard> <username> • Add password <fqdn> {login_pass} {enable_pass} • Add method ssh telnet – first one, then the other. • Add autoenable 0 or 1 if your login user is that cool and your device supports it.
~etc/rancid. conf • Defaults are *pretty* good, change RCSSYS=svn if you’re using subversion • By the way, did you remember to install subversion? • LIST_OF_GROUPS controls the different ‘groups’ of routers you manage. Useful if you want emails to go to different groups of people. • MAILHEADERS Sweet. . I can say whatever silly things I want. . Or set filtration and scoring artificially by putting something to bypass my filters in there.
/etc/aliases • By default, RANCID expects to use /etc/aliases as the address resolution mechanism. You need two aliases for each rancid group. • rancid-admin-<groupname> • rancid-<groupname> • Router adds/moves/deletes go to rancidadmin, configuration changes go to group.
~/bin/rancid-cvs • Must be run before doing anything, as it sets up the repositories! • Duh, I guess I need subversion *and* subversion-devel installed. • If it doesn’t work, it’s likely not RANCID’s fault, check your installation. • No, I never tried installing it with CVS, sorry, I’m sure it’s just as simple. ; )
Run rancid manually • ~bin/rancid-run <groupname> • Check ~var/logs/ for the result if it’s not going the way you think it should, or taking too long. • Check your email! • Check (out) your svn repository. • RANCID sanitizes configs!
RANCID as a command tool • ? login –c <command> • ? login -x <commandfile> • Who needs to remember router passwords anymore? • Why does it matter? • Rolling out large scale configuration changes to homogenous devices with automatic error checking.
What’s the difference between RANCID and <$NCM>? • Use in parallel to your existing commercial NCM system if you have one. • If you don’t, it’s cheap, easy, and works remarkably well. • I challenge you to find a commercial NCM as flexible and extensible. • RANCID is not gui. Sorry Windows guys! • RANCID can offer web viewing of configs with packages like view. CVS.
In conclusion • RANCID’s cheaper, faster and better as long as it’s lack of gui management features don’t bother you. • RANCID would be a complete NCM system with a good TACACS+ installation. • (Any perl guys wanna help me fix this *one* tiny little thing and get it included in the next release? )
Questions? • Answers!
