Rancid

Really Awesome New Cisco config Differ is a tool that monitors routers, and switches configuration and maintains an audit trail of the diffs in CVS or Subversion. It is a wrapper for expect, so that is necessary.

As of writing the current version is 3.1, and we will install into /opt/rancid.

Install Expect and CVS

Since rancid is a wrapper for expect, and uses cvs by default, we need to install these. Both are available in the base repository.

yum -y install expect cvs

Download Rancid

Rancid is available from shrubbery.net. As of writing this, 3.1 is the latest version which you can download via wget.

wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.1.tar.gz

Untar, configure, compile and install

Rancid is distributed as source and must be built. We’re going to install to /opt/rancid so we need to add –prefix=/opt/rancid to the configure script. If you want to install to the default /usr/local/rancid, you can omit this flag.

tar xfz rancid-3.1.tar.gz
cd rancid-3.1
./configure --prefix=/opt/rancid
make
make install

Rancid Configuration

We’ll now modify /opt/rancid/etc/rancid.conf, and create a list of groups in the LIST_OF_GROUPS variable. We’ll use switches and routers here as our two groups, but you can modify as necessary for your environment.

Add the following line after the commented out version in the conf:

LIST_OF_GROUPS="switches routers"

Edit /etc/aliases

Rancid sends diffs to rancid- and errors to rancid-admin-. The part is the group of routers (we’ll get to later). We want to add these in /etc/aliases to forward to the appropriate email.

We’ll create aliases for rancid-switches and rancid-routers as well as rancid-admin-switches and rancid-admin-routers.

Set permissions on /opt/rancid/var

Rancid creates the version control structure and files under /opt/rancid/var in our setup. Since it isn’t wise to run rancid as root (and since it doesn’t allow you to), we’ll need to set the owner of this directory as another system user. You can create a user called rancid, or chown it to your user.

chown ranciduser /opt/rancid/var

Run rancid-cvs as ranciduser

This will generate the directory structure and initial configuration files. We will also run this every time we add a new group to LIST_OF_GROUPS in the conf.

/opt/rancid/bin/rancid-cvs

Edit router.db for each group

Here we will add the information on the network equipment we want to monitor. We will add all router information to /opt/rancid/var/routers/router.db and all switch information to /opt/rancid/var/switches/router.db.

Each line should contain 3 fields seperated by a semi-colon “;”. First is the FQDN of the device, second is manufacture of the device (cisco, juniper, etc. – a full list is in router.db.5 man page), and third is up or down to give state of the device.

Check the man page for a full list of vendors.

man -M /opt/rancid/share/man/ router.db

Example configuration line for a cisco router which is an edge router named edge01.centoshowtos.org and is online:

edge01.centoshowtos.org;cisco;up

Lets add this to the router.db for the routers group now.

echo "edge01.centoshowtos.org;cisco;up" >> /opt/rancid/var/routers/router.db

Now lets add a cisco nexus switch named sw01.centoshowtos.org which is online to the switch group:

echo "sw01.centoshowtos.org;cisco-nx;up" >> /opt/rancid/var/routers/router.db

Configure login information

There is an example template located at /opt/rancid/share/rancid/cloginrc.sample. We want to create /home/ranciduser/.cloginrc and make sure it’s only read/writable by the rancid user. By default, it tries to connect via telnet, but since this is disabled in a lot of environments (for good reason) we’ll also show an example for ssh.

Create the .cloginrc and set the permissions. Replace login_password and enable_password with your actual passwords:

# for telnet default login
echo "add password edge01.centoshowtos.org {login_password} {enable_password}" >> /home/ranciduser/.cloginrc
 
# for ssh login as user admin
echo "add method edge01.centoshowtos.org ssh" >> /home/ranciduser/.cloginrc
echo "add user edge01.centoshowtos.org admin" >> /home/ranciduser/.cloginrc
echo "add password edge01.centoshowtos.org {login_password} {enable_password}" >> /home/ranciduser/.cloginrc
 
chmod 600 /home/ranciduser/.cloginrc

Now test that the login works.

/opt/rancid/bin/clogin edge01.centoshowtos.org

Run Rancid

Next, we run rancid and view the output. If there are any errors we will need to correct them before assuming we’re in a good state and adding to cron.

/opt/rancid/bin/rancid-run
(Comments)

Comments