Wednesday, June 4, 2014

How to set up and use RANCID under CentOS

RANCID (Really Awesome New Cisco ConfIg Differ) is a powerful tool for keeping track of changes in the configuration of network devices, not only from Cisco, but also vendors such as Juniper, Catalyst, and Foundry. You can use RANCID to view configuration files, compare changes in different versions of configuration, and save a historic record of configuration instances.
To start setting up RANCID under CentOS, add the repository to your system. I also suggest disabling SELinux, but tuning SELinux for RANCID is beyond the scope of this article. Then install RANCID's dependencies using yum and make sure that the cron, MySQL, and Apache HTTP Server services are started:
yum install expect cvs python httpd mysql mysql-server gcc make autoconf gcc-c++ kernel-devel php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mysql php-xml MySQL-python crontabs telnet docutils rcs

yum groupinstall "Development tools" MySQL-python diffutils
service crond restart; chkconfig crontab on
service mysqld restart; chkconfig mysqld on
service httpd restart; chkconfig httpd on
Next, create a user, group, and home directory for RANCID, then download the project's tarball to that directory and install RANCID from source:
groupadd netadm
useradd -g netadm -d /usr/local/rancid rancid
mkdir /usr/local/rancid/pkg
cd /usr/local/rancid/pkg

tar zxvf rancid-2.3.6.tar.gz

cd rancid-2.3.6
./configure --prefix=/usr/local/rancid/
make install
After RANCID is installed, copy a sample .cloginrc file, the file RANCID uses to store passwords, from the installation package. Also set appropriate permissions for the user and group rancid:netadm, and make sure they own the files under the rancid directory:
cp /usr/local/rancid/pkg/rancid-2.3.6/cloginrc.sample /usr/local/rancid/.cloginrc
chmod 640 /usr/local/rancid/.cloginrc 
chmod 775 /usr/local/rancid/
chown -R rancid:netadm /usr/local/rancid/
Now you can edit RANCID's configuration file /usr/local/rancid/etc/rancid.conf so that it reflects your network. Based on your network architecture, you could group devices based on departments, geographic locations, or building campuses, or based on the functions they provide, such as management, voice, or data equipment. You can create separate RANCID groups for each managed network, each containing its own switches and routers. To show how this works, let's define two networks: Network1 will contain a router (Network1-Router-A, IP:, and Network2 will include another router (Network2-Router-B, IP:
LIST_OF_GROUPS="Network1 Network2"
RANCID works with CVS (Concurrent Versions System), a version control tool, to keep track of changes in configuration files. Whenever RANCID detects a change in the configuration of a device, the change is stored in a new file with an updated version number. Administrators can track changes back to the initial configuration version.
As user rancid, run CVS to create the necessary repositories. RANCID will check its configuration file and create necessary files for each network group – Network1 and Network2 in this case:
su - rancid
Next, again as user rancid, edit the file .cloginrc and add the device credentials. The login password is the non-administrative password you use to log in to the switch or router. RANCID also needs the "enable" or administrative password in order to read the startup or running configuration file:
add user
add password login-pass enable-pass

add user
add password login-pass enable-pass
The passwords are stored as plain text in .cloginrc, which could be a security concern, but the file .cloginrc has permission of 640 for rancid:netadm, so only the user and group specifically created for RANCID (and root, of course) should be able to read it. The device configuration files stored by RANCID contain plain text and/or encrypted passwords based on how the passwords are stored within the actual device.
You can manually test whether the .cloginrc script works by manually executing the clogin script provided by RANCID. This script is also invoked while RANCID is running to log in to devices:
spawn telnet
Connected to
Escape character is '^]'.

User Access Verification

If the script fails, double-check that the passwords saved in .cloginrc are correct. Also check whether the ACLs in the router permit remote logins from the IP address of the RANCID server.
Once RANCID can recognize the routers and connect to them with the proper passwords, add the IP address or hostname, device type, and state of the device under the respective Network sections. To use hostnames you need to have DNS support. The device data is listed using the syntax ip-address:device-type:state. Devices for each group go in separate files called router.db under var/groupname for each group you defined.
vim /usr/local/rancid/var/Network1/router.db

vim /usr/local/rancid/var/Network2/router.db
Next, invoke the rancid-run script, which executes RANCID. RANCID checks each added device, verifies any changes to an already saved configuration, and stores the configuration files with version numbers:
su - rancid
If the run is successful, you should see text files named and under /usr/local/rancid/var/NetworkX/config that contain the entire configuration of each device.
Now create a cron job to run RANCID at a fixed interval so that the configuration files stored in RANCID are updated periodically. Choose an interval based on your requirements; I am using 30 minutes for this demonstration. Also, set up a second cron job to run at 00:00 on the first day of the month and remove log files that have not been modified for 30 days:
crontab -u rancid -e

*/30 * * * * /usr/local/rancid/bin/rancid-run #half hourly router dump
00 00 1 * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +30 -exec rm {} \;

service crond restart
At this point you have a running RANCID server that periodically checks and stores the configuration files of network devices.

Adding ViewVC

At this stage you can access the configuration files stored by RANCID only via the command line. A web interface could help users more easily access the stored information. ViewVC provides an easy-to-use web interface with navigable directory support and the ability to view different versions of configuration files and view and compare changes.
Before installing ViewVC you must install some Python package prerequisites:
cd /usr/local/rancid/pkg
python ./ 
easy_install babel
easy_install Genshi
easy_install Pygments
easy_install docutils
easy_install textile
Now you can set up and configure ViewVC:
cd /usr/local/rancid/pkg
tar zxvf viewvc-1.1.22.tar.gz

cd viewvc-1.1.22
./viewvc-install ## we set the installation path as /usr/local/viewvc ##
Next, edit the ViewVC configuration file /usr/local/viewvc/viewvc.conf. Specify the root directory of the CVS repository you created earlier and the paths to executables ViewVC uses, such as rcs, enscript, and highlight:
root_parents = /usr/local/rancid/var/CVS : cvs
rcs_path = /usr/bin/
use_enscript = 1
enscript_path = /usr/bin/
use_highlight = 1
highlight_path = /usr/bin
Copy the ViewVC CGI files to Apache's cgi-bin directory and change their ownership to the Apache user and group:
cp /usr/local/viewvc/bin/cgi/*.cgi /var/www/cgi-bin/

chown apache:apache /var/www/cgi-bin/query.cgi  
chown apache:apache /var/www/cgi-bin/viewvc.cgi
You also need to add two aliases to Apache's /etc/httpd/conf/httpd.conf configuration file to link the ViewVC CGI scripts with landing pages of /rancid and /query:
ScriptAlias /rancid "/var/www/cgi-bin/viewvc.cgi"
ScriptAlias /query "/var/www/cgi-bin/query.cgi"
Then restart Apache with the command service httpd restart.
Next, edit /etc/group and add the user apache to the group netadm. Previously, we set 775 permission for the directory /usr/local/rancid for the user rancid and group netadm. Adding apache to the group ensures that it has the necessary permissions to access the scripts stored within /usr/local/rancid:
CVS can also be integrated with MySQL. Without MySQL CVS stores all information in separate text files. Working with a large numbers of text files can get inefficient. MySQL can keep records of the CVS filenames and check out and commit states of files. It provides an efficient platform for querying. Create a MySQL database for ViewVC as root:
MySQL Hostname (leave blank for default): 
MySQL Port (leave blank for default): 
MySQL User: root
MySQL Password: ##MySQL root password here##
ViewVC Database Name [default: ViewVC]:

mysql -u root -p
MySQL root password here

mysql> GRANT ALL ON ViewVC.* TO viewvcuser@localhost; 
mysql> set password for viewvcuser@localhost=password("viewvcpw"); 
mysql> FLUSH privileges;
Add the MySQL user viewvcuser to /usr/local/viewvc/viewvc.conf:
enabled = 1
host = localhost
port = 3306
database_name = ViewVC
user = viewvcuser
passwd = viewvcpw
Finally, populate the database with the necessary tables and the CVS data created earlier by rancid-cvs using an installed script:
/usr/local/viewvc/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT


You can now access RANCID by pointing a browser to http://ServerIP/rancid. The interface contains separate links for each group you created.
Whenever a device configuration is changed, RANCID detects the change and saves the configuration using an incremented version number. Select any device to see information on all saved versions. You can view the entire configuration, as well as compare changes from any previous versions.
Figure 1Different versions of one router's configuration stored at RANCID

Figure 2 A comparison between two versions of a router's configuration
If you want to add a new device to a group, change to user rancid and add the credentials in .cloginrc and the IP information in /usr/local/rancid/bin/groupname/router.db:
add user
add password login-pass enable-pass

You can then run RANCID manually with a command like /usr/local/rancid/bin/rancid-run -r, or you can just wait for cron to run it.
You can disable polling of a device while retaining the already saved configuration versions, as you might do if you were taking down a switch but wanted to keep all the configuration information that RANCID has already saved. To do so, declare the device as down in the router.db file and RANCID will not poll it for changes:
To sum up, RANCID is a useful tool for managing and tracking changes to network device configurations. In network operations centers where many engineers work together, RANCID provides a platform to keep a history of changes, which can help not only for reverting back to previous states but also in network audits.

No comments:

Post a Comment