Tuesday, May 6, 2008

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products

What is Rancid?
Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change.

here is an example of the output

===================================================================
retrieving revision 1.29
diff -u -4 -r1.29 mpls-jhb-pe1
@@ -288,9 +288,9 @@
!
interface Serial0/0
description Link to Client X
bandwidth 2048
- ip address 192.168.1.244 255.255.255.254
+ ip address 192.168.1.234 255.255.255.254
ip route-cache flow
ip tcp header-compression iphc-format
ip tcp compression-connections 256
! ip ospf message-digest-key 1 md5 the - symbol represents what was removed
the + symbol represents what was added

The above example is from a Cisco Router, however Rancid also is known to support Redback, Foundry, HP Procurve, Juniper, of course Cisco Routers and Switches and a host of others

I Suggest that you also use Tacacs+ if your hardware supports it, my install guide is here.

Installing Rancid

Install the port in /usr/ports/net-mgmt/rancid/
you can just run a "make install clean"

Once installed there are a few places where the files are found that you will need to configure this

The config files are in /usr/local/etc/rancid
The bin files are in /usr/local/libexec/rancid
The CVS and other files needed are in /usr/local/var/rancid
more other files /usr/local/share/rancid/

Frstly the rancid.conf file.

Copy the rancid.conf.sample to rancid.conf
The Conf file is pretty well commented and there are only 2 or 3 lines you would need to change
The lines I changed are as follows.

LIST_OF_GROUPS="networks"
MAILDOMAIN="@yourdomain.tld"; export MAILDOMAIN

you might also want to check this line
OLDTIME=4; export OLDTIME
4 hours is the default, you could change it to 1 or 2 hours
But if your cron that checks the config is set to every 2 hours setting the OLDTIME to 1 hour is not going to be a big help
OLDTIME is the amount of hours that pass before rancid complains about routers/devices that can not be reached.





4 hours should be fine, you should have some sort of an NMS System in place anyway that will tell you about a network problem so you should not have to rely on Rancid as an NMS.

Creating a Rancid User

I would suggest creating a rancid user
No special privileges are needed that I have noticed
I just used a standard user and a bash shell (I'm more comfortable using bash)

The .cloginrc file

This file is also pretty well commented and should be pretty easy to figure out. the file should be in the rancid users home directory, the owner and group should be the rancid user and the file should be either chmod 640 or 600

here is an example on mine
add user * rancid will log in as the rancid user if the device uses a username prompt i.e. tacacs+

add password *-pix-fw
add method *-pix-fw ssh
The above will log into any host matching somehost-pix.fw as rancid with the above specified passwords

add password specific-hosting-fw
add method specific-hosting-fw ssh
The above will log only into the firewall whose host is specific-hosting-fw as rancid with the above specified passwords

# all our routers, i.e.: everything else
add password *

# set ssh encryption type, dflt: 3des
add cyphertype *

There are namy other options in the file but these are the basics of what you might need to get yours up and running, once you have your .cloginrc file setup its time to test it.
su to your rancid user "su rancid"
and run: /usr/local/libexec/rancid/clogin ipaddr of the host you want to log into
if all goes well you should see something like this

[rancid@rat ~]$ clogin 10.0.0.1
10.0.0.1
spawn telnet 10.0.0.1
Trying 10.0.0.1...
Connected to MPLS-JHB-PE1.
Escape character is '^]'.

MPLS-JHB-PE1 line 162


User Access Verification

Username: rancid
Password:

MPLS-JHB-PE1>enable
Password:
MPLS-JHB-PE1#
MPLS-JHB-PE1#


you might want to consider linking the clogin script on the libexec dir to someplace else like /usr/sbin (or somewhere else in your path)
i.e ln -s /usr/local/libexec/rancid/clogin /usr/sbin/clogin

If your hosts are not in your DNS server zone files you can add them to your /etc/hosts file

Yes you guessed it im a lazy swine so the first thing i did was added a bunch on aliases to my .bashrc file and copied the .cloginrc file to my home directory and changed the user name from rancid in the file to my username

no all i have to do to log into a router switch or firewall is type in the alias name and im in no need to remember passwords
however there are security considerations that you might want to think about before hand.

here is an example of my aliases in the .bashrc file

## Aliases ##
alias mpls='clear;clogin mpls-ny-pe1;clear'
alias mcore1='clear;clogin mcore1-ny-sw;clear'
alias mcore2='clear;clogin mcore2-ny-sw;clear'

Ok now most of the hard work is done.
Setting up the CVS and telling Rancid what devices monitor for config changes.

The first thing to do here is to check if the this directory exists
/usr/local/var/rancid/
if it does and its not from a previous install (that is working........ then again if it was, you probably would not be reading this)
any way if it exists cd to /usr/local/ (as root)
and rm -fr var/rancid

then as the rancid user do the follwing
mkdir /usr/local/var/
mkdir /usr/local/var/rancid

then run rancid-run it should already be in /usr/local/bin/rancid-run if its not then you can create a link as you did with clogin the rancid-run and rancid-cvs bin's are in the libexec dir.

when you run rancid-run as the rancid user you should not get any errors
then you run rancid-cvs

Between these 2 rancid binaries your /user/local/var/rancid directory should now contain the following directories

CVS logs networks <-- networks here is the group in the /usr/local/etc/rancid/conf file

cd to the networks (or what ever group you created)


vi the router.db file
and add the hosts you want to monitor
Example below:
mpls-tex-pe1:cisco:up
mpls-la-pe1:cisco:up
mpls-ny-pe1:cisco:up
mpls-was-pe1:cisco:up
mpls-london-pe1:cisco:up
mpls-oz-pe1:cisco:up
fw-client:cisco:up
core1-sw-ny-1:cisco:up
core2-sw-ny-2:cisco:up

ETC.

I would suggest just adding one line for for now so you can test it.

also on your mail server add an alias to mail you or your group the info that will be sent by rancid.
vi /etc/aliases

rancid-networks: bob,john,jack

or you could do this
networks: bob,john,jack
rancid-networks: networks

But mail policy’s are up to you. Remember that rancid-xxxxxx will be what ever you group was called mine is networks hence the alias rancid-networks

Once you have setup the mail to send you the logs of rancid data.
Run rancid-run again.

With any luck you will receive an email that will have a bunch of info in regarding the host you just had rancid log into.
it should look similar to the output example right near the top of this page.

if not then either you have a problem with your rancid config (check /usr/local/var/rancid/logs for log files)
or maybe your alias is not working or the server you are running rancid from is not sending the mail (mail server stopped disabled being blocked etc.)

Last Step if all works
add a crontab as the rancid user

something like this
crontab-e
@hourly /usr/local/bin/rancid-run

1 comment:

Leslie said...

thank you for this blog! I just found it and it has been very helpful.

Joe's Store