http://www.openlogic.com/wazi/bid/346615/how-to-set-up-and-use-rancid-under-centos
RANCID (Really Awesome New Cisco ConfIg Differ) is a powerful tool for keeping track of changes in the configuration of network devices, not only from Cisco, but also vendors such as Juniper, Catalyst, and Foundry. You can use RANCID to view configuration files, compare changes in different versions of configuration, and save a historic record of configuration instances.
To start setting up RANCID under CentOS, add the repoforge.org repository to your system. I also suggest disabling SELinux, but tuning SELinux for RANCID is beyond the scope of this article. Then install RANCID's dependencies using
As user rancid, run CVS to create the necessary repositories. RANCID will check its configuration file and create necessary files for each network group – Network1 and Network2 in this case:
You can manually test whether the .cloginrc script works by manually executing the clogin script provided by RANCID. This script is also invoked while RANCID is running to log in to devices:
Once RANCID can recognize the routers and connect to them with the proper passwords, add the IP address or hostname, device type, and state of the device under the respective Network sections. To use hostnames you need to have DNS support. The device data is listed using the syntax
Now create a cron job to run RANCID at a fixed interval so that the configuration files stored in RANCID are updated periodically. Choose an interval based on your requirements; I am using 30 minutes for this demonstration. Also, set up a second cron job to run at 00:00 on the first day of the month and remove log files that have not been modified for 30 days:
Before installing ViewVC you must install some Python package prerequisites:
Next, edit /etc/group and add the user
Whenever a device configuration is changed, RANCID detects the change and saves the configuration using an incremented version number. Select any device to see information on all saved versions. You can view the entire configuration, as well as compare changes from any previous versions.
/usr/local/rancid/.cloginrc:
You can disable polling of a device while retaining the already saved configuration versions, as you might do if you were taking down a switch but wanted to keep all the configuration information that RANCID has already saved. To do so, declare the device as down in the router.db file and RANCID will not poll it for changes:
RANCID (Really Awesome New Cisco ConfIg Differ) is a powerful tool for keeping track of changes in the configuration of network devices, not only from Cisco, but also vendors such as Juniper, Catalyst, and Foundry. You can use RANCID to view configuration files, compare changes in different versions of configuration, and save a historic record of configuration instances.
To start setting up RANCID under CentOS, add the repoforge.org repository to your system. I also suggest disabling SELinux, but tuning SELinux for RANCID is beyond the scope of this article. Then install RANCID's dependencies using
yum
and make sure that the cron, MySQL, and Apache HTTP Server services are started:yum install expect cvs python httpd mysql mysql-server gcc make autoconf gcc-c++ kernel-devel php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mysql php-xml MySQL-python crontabs telnet docutils rcs yum groupinstall "Development tools" MySQL-python diffutils service crond restart; chkconfig crontab on service mysqld restart; chkconfig mysqld on service httpd restart; chkconfig httpd onNext, create a user, group, and home directory for RANCID, then download the project's tarball to that directory and install RANCID from source:
groupadd netadm useradd -g netadm -d /usr/local/rancid rancid mkdir /usr/local/rancid/pkg cd /usr/local/rancid/pkg wget http://pkgs.fedoraproject.org/repo/pkgs/rancid/rancid-2.3.6.tar.gz/c700f33978d2eb5a246bec056280c017/rancid-2.3.6.tar.gz tar zxvf rancid-2.3.6.tar.gz cd rancid-2.3.6 ./configure --prefix=/usr/local/rancid/ make installAfter RANCID is installed, copy a sample .cloginrc file, the file RANCID uses to store passwords, from the installation package. Also set appropriate permissions for the user and group rancid:netadm, and make sure they own the files under the rancid directory:
cp /usr/local/rancid/pkg/rancid-2.3.6/cloginrc.sample /usr/local/rancid/.cloginrc chmod 640 /usr/local/rancid/.cloginrc chmod 775 /usr/local/rancid/ chown -R rancid:netadm /usr/local/rancid/Now you can edit RANCID's configuration file /usr/local/rancid/etc/rancid.conf so that it reflects your network. Based on your network architecture, you could group devices based on departments, geographic locations, or building campuses, or based on the functions they provide, such as management, voice, or data equipment. You can create separate RANCID groups for each managed network, each containing its own switches and routers. To show how this works, let's define two networks: Network1 will contain a router (Network1-Router-A, IP:10.10.10.1), and Network2 will include another router (Network2-Router-B, IP: 11.11.11.1):
LIST_OF_GROUPS="Network1 Network2"RANCID works with CVS (Concurrent Versions System), a version control tool, to keep track of changes in configuration files. Whenever RANCID detects a change in the configuration of a device, the change is stored in a new file with an updated version number. Administrators can track changes back to the initial configuration version.
As user rancid, run CVS to create the necessary repositories. RANCID will check its configuration file and create necessary files for each network group – Network1 and Network2 in this case:
su - rancid bin/rancid-cvsNext, again as user rancid, edit the file .cloginrc and add the device credentials. The login password is the non-administrative password you use to log in to the switch or router. RANCID also needs the "enable" or administrative password in order to read the startup or running configuration file:
#NETWORK1-ROUTER-A add user 10.10.10.1 add password 10.10.10.1 login-pass enable-pass #NETWORK2-ROUTER-A add user 11.11.11.1 add password 11.11.11.1 login-pass enable-passThe passwords are stored as plain text in .cloginrc, which could be a security concern, but the file .cloginrc has permission of 640 for rancid:netadm, so only the user and group specifically created for RANCID (and root, of course) should be able to read it. The device configuration files stored by RANCID contain plain text and/or encrypted passwords based on how the passwords are stored within the actual device.
You can manually test whether the .cloginrc script works by manually executing the clogin script provided by RANCID. This script is also invoked while RANCID is running to log in to devices:
bin/clogin 10.10.10.1 10.10.10.1 spawn telnet 10.10.10.1 Trying 10.10.10.1... Connected to 10.10.10.1. Escape character is '^]'. User Access Verification Password: NETWORK-1-ROUTER-A>enable Password: NETWORK-1-ROUTER-A#If the script fails, double-check that the passwords saved in .cloginrc are correct. Also check whether the ACLs in the router permit remote logins from the IP address of the RANCID server.
Once RANCID can recognize the routers and connect to them with the proper passwords, add the IP address or hostname, device type, and state of the device under the respective Network sections. To use hostnames you need to have DNS support. The device data is listed using the syntax
ip-address:device-type:state
. Devices for each group go in separate files called router.db under var/groupname for each group you defined.vim /usr/local/rancid/var/Network1/router.db 10.10.10.1:cisco:up vim /usr/local/rancid/var/Network2/router.db 11.11.11.1:cisco:upNext, invoke the rancid-run script, which executes RANCID. RANCID checks each added device, verifies any changes to an already saved configuration, and stores the configuration files with version numbers:
su - rancid bin/rancid-runIf the run is successful, you should see text files named 10.10.10.1 and 11.11.11.1 under /usr/local/rancid/var/NetworkX/config that contain the entire configuration of each device.
Now create a cron job to run RANCID at a fixed interval so that the configuration files stored in RANCID are updated periodically. Choose an interval based on your requirements; I am using 30 minutes for this demonstration. Also, set up a second cron job to run at 00:00 on the first day of the month and remove log files that have not been modified for 30 days:
crontab -u rancid -e */30 * * * * /usr/local/rancid/bin/rancid-run #half hourly router dump 00 00 1 * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +30 -exec rm {} \; service crond restartAt this point you have a running RANCID server that periodically checks and stores the configuration files of network devices.
Adding ViewVC
At this stage you can access the configuration files stored by RANCID only via the command line. A web interface could help users more easily access the stored information. ViewVC provides an easy-to-use web interface with navigable directory support and the ability to view different versions of configuration files and view and compare changes.Before installing ViewVC you must install some Python package prerequisites:
cd /usr/local/rancid/pkg wget http://peak.telecommunity.com/dist/ez_setup.py python ./ez_setup.py easy_install babel easy_install Genshi easy_install Pygments easy_install docutils easy_install textileNow you can set up and configure ViewVC:
cd /usr/local/rancid/pkg wget http://viewvc.tigris.org/files/documents/3330/49347/viewvc-1.1.22.tar.gz tar zxvf viewvc-1.1.22.tar.gz cd viewvc-1.1.22 ./viewvc-install ## we set the installation path as /usr/local/viewvc ##Next, edit the ViewVC configuration file /usr/local/viewvc/viewvc.conf. Specify the root directory of the CVS repository you created earlier and the paths to executables ViewVC uses, such as rcs, enscript, and highlight:
[general] root_parents = /usr/local/rancid/var/CVS : cvs rcs_path = /usr/bin/ use_enscript = 1 enscript_path = /usr/bin/ use_highlight = 1 highlight_path = /usr/binCopy the ViewVC CGI files to Apache's cgi-bin directory and change their ownership to the Apache user and group:
cp /usr/local/viewvc/bin/cgi/*.cgi /var/www/cgi-bin/ chown apache:apache /var/www/cgi-bin/query.cgi chown apache:apache /var/www/cgi-bin/viewvc.cgiYou also need to add two aliases to Apache's /etc/httpd/conf/httpd.conf configuration file to link the ViewVC CGI scripts with landing pages of /rancid and /query:
ScriptAlias /rancid "/var/www/cgi-bin/viewvc.cgi" ScriptAlias /query "/var/www/cgi-bin/query.cgi"Then restart Apache with the command
service httpd restart
.Next, edit /etc/group and add the user
apache
to the
group netadm. Previously, we set 775 permission for the directory
/usr/local/rancid for the user rancid and group netadm. Adding apache
to the group ensures that it has the necessary permissions to access the scripts stored within /usr/local/rancid:netadm:x:GID:apacheCVS can also be integrated with MySQL. Without MySQL CVS stores all information in separate text files. Working with a large numbers of text files can get inefficient. MySQL can keep records of the CVS filenames and check out and commit states of files. It provides an efficient platform for querying. Create a MySQL database for ViewVC as root:
/usr/local/viewvc/bin/make-database MySQL Hostname (leave blank for default): MySQL Port (leave blank for default): MySQL User: root MySQL Password: ##MySQL root password here## ViewVC Database Name [default: ViewVC]: mysql -u root -p MySQL root password here mysql> GRANT ALL ON ViewVC.* TO viewvcuser@localhost; mysql> set password for viewvcuser@localhost=password("viewvcpw"); mysql> FLUSH privileges;Add the MySQL user viewvcuser to /usr/local/viewvc/viewvc.conf:
[cvsdb] enabled = 1 host = localhost port = 3306 database_name = ViewVC user = viewvcuser passwd = viewvcpwFinally, populate the database with the necessary tables and the CVS data created earlier by rancid-cvs using an installed script:
/usr/local/viewvc/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT
Using RANCID
You can now access RANCID by pointing a browser to http://ServerIP/rancid. The interface contains separate links for each group you created.Whenever a device configuration is changed, RANCID detects the change and saves the configuration using an incremented version number. Select any device to see information on all saved versions. You can view the entire configuration, as well as compare changes from any previous versions.
Different versions of one router's configuration stored at RANCID
A comparison between two versions of a router's configuration
If you want to add a new device to a group, change to user rancid and
add the credentials in .cloginrc and the IP information in
/usr/local/rancid/bin/groupname/router.db:A comparison between two versions of a router's configuration
/usr/local/rancid/.cloginrc:
#NETWORK1-Switch-A add user 10.10.10.2 add password 10.10.10.2 login-pass enable-pass /usr/local/rancid/var/Network1/router.db 10.10.10.2:cisco:upYou can then run RANCID manually with a command like
/usr/local/rancid/bin/rancid-run -r 10.10.10.2
, or you can just wait for cron to run it.You can disable polling of a device while retaining the already saved configuration versions, as you might do if you were taking down a switch but wanted to keep all the configuration information that RANCID has already saved. To do so, declare the device as down in the router.db file and RANCID will not poll it for changes:
11.11.11.11:cisco:downTo sum up, RANCID is a useful tool for managing and tracking changes to network device configurations. In network operations centers where many engineers work together, RANCID provides a platform to keep a history of changes, which can help not only for reverting back to previous states but also in network audits.
No comments:
Post a Comment