Configuring Rancid
In my last post I talked about Installing Rancid on Centos 7 so be sure to check that out. In this post we now want to actually use Rancid so I’ll walk through on how to setup Rancid to login into network equipment and get configurations.
To recap: Rancid is a great tool to help monitor a device configuration for any changes. It also keeps track of them by using CVS (Concurrent Version System) for backups, so you can go back and compare versions or revert to a previous configuration. Rancid supports multiple hardware from Cisco, HP, Dell, Juniper and more. This is all open-source so you can create custom scripts or add commands to really make this a personal repository that fits your company.
Rancid has a couple of areas that need to be edited before we can let it run. The first area is the router.db file. This file is in each “group” or folder that rancid stores. In our example we have two groups’ routers and switches. This file has all the devices you want rancid to keep track of. We must edit this file with either the DNS name of the device or IP address. To do that go to the following:
Login into Rancid with the Root account followed by su – rancid Type of Device is the “group” you configured the List of Groups under the rancid.conf file during the installation
1nano /usr/local/rancid/var/{Type of Device}/router.db
At first this is a blank file so nothing will be in the file, below is an example of what I have done in the past
1# This is an example of a router.db fle in Rancid.
2
3# Location of File /usr/local/rancid/var/Routers/router.db
4
5# Type the Router name or IP followed by the type of device. (Rancid supports more than just Cisco)
6
7# Personally I think it looks better with DNS names.
8
9Router01.example.com;cisco;up;
10
11# You can also mark a device as down. This will cause Rancid to skip it.
12
13Router02.example.com;cisco;down;
14
15Router03.example.com;cisco;up;
16
17# Of course you can also comments throughout this file or alongside devices for notes.
18
19# Edge Switches for Computers at HQ
20
21Switch-HQ-Edge14.example.com;cisco;up; LOCATION: Server Rack A
22
23Switch-HQ-Edge07.example.com;cisco;up; LOCATION: Room 101
24
25Switch-HQ-Edge21.example.com;cisco;down; LOCATION: Building A (Under Construction)
Once you add the all the devices in each Router.db we now need to look at the .clogin file which is located (/home/rancid/.cloginrc) this file will store the usernames and passwords for each device, this file supports wildcards so if you have a good naming scheme use it! I have had luck with commenting out everything in that file and just starting at the bottom of the file with my custom configuration, such as:
1# Custom Configuration at the bottom of .cloginrc
2
3# No Enable Prompts
4
5add noenable Swich-E-Edge05.example.com 1
6
7# Connect to All CORES (Notice the wildcard, remember you still need to add the full name to the router.db file.)
8
9add user S-core0*.example.com username-goes-here
10
11add password S-core0*.example.com password-goes-here
12
13add method S-core0*.example.com ssh
14
15add noenable S-core0*.example.com 1
16
17# Connect To All Campus-5-Edge Switches
18
19add user Switch-C5-Edge*.example.com username-goes-here
20
21add password Switch-C5-Edge*.example.com password-goes-here enable-password-here
22
23add method Switch-C5-Edge*.example.com ssh
So we now have everything ready to test run rancid, we can test our luck by just running it once and to do that run the following command below. When the commands completes you should be able to browse via the webpage, see the devices you added with their configurations, and get an email if you’ve followed by earlier post.
1/usr/local/rancid/bin/rancid-run
For reference rancid keeps a log each time it runs and each different of group or device. To view the log use my favorite Linux test editor nano. :) Or you can cat it!
1nano /usr/local/rancid/var/logs/{Type of Device/Group}
In this example log file everything went well, rancid is pretty good at telling you what the issue is if there is one.
1starting: Sun Feb 15 18:01:56 MST 2015
2
3Trying to get all of the configs.
4
5All routers sucessfully completed.
6
7cvs diff: Diffing .
8
9cvs diff: Diffing configs
10
11cvs commit: Examining .
12
13cvs commit: Examining configs
14
15ending: Sun Feb 15 18:02:45 MST 2015
Once you capture devices you can view their configuration on the browser by going to http(s)://rancid-server-ip/viewvc. In this example I just have one device with two revisions on it, I'm using router03.example.com. What do you think?
Screenshot of Rancid in ViewVC, using Router03 as an example.
Diff between revisions on Router03.
One of the last things to do is to setup a cron job to run rancid, it depends on your environment but in this example I'm running the rancid job every hour on the hour. I'm also clearing the log files every five days but running the job every day day at 11:50pm. Below is my example of the cron job. Make sure you in the rancid account (su - rancid) and then type crontab -e. Note you will be using vi so here is a crash course once you in the file type "i" for INSERT MODE type out the configuration once you are done type Escape key followed by ":wq" which will write (save) and quit the vi program.
1#
2# Rancid User Crontab File
3#
4
5# Begin Hourly Router Dump
61 * * * * /usr/local/rancid/bin/rancid-run
7
8# Begin Cleanup of Differ Logs Every 5 Days
950 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +5 -exec rm -rf {} \;
We now have a system that will log in and grab configurations of our network equipment on a scheduled basis. Rancid does way more than just Cisco devices although its in the name :). Rancid has made it pretty easy to even add you own custom scripts or add-on to what you want to see when rancid pulls a configuration so like before check out Shrubbery at http://www.shrubbery.net/rancid/ and the threads from Rancid Discussions at http://www.gossamer-threads.com/lists/rancid/ for details. I'll stop it here I hope this information is helpful and as always let me know if you have any questions.
Static Comments:
sunny -
great write-up, thanks. Do you have an article listing the steps to setup 'cisco-sb' type devices to be congured with Rancid-3.1 or 3.2. I did every possible config/changes but could not get it to work. Finally had to downgrade rancid to 2.3.8 and then i was able for rancid to pull the config of cisco-sb devices. thanks sunny
Elliot -
Hello. Thank you for this guide, it is really helpful. I followed your two guides but I have a problem when I run RANCID. When I run /usr/local/rancid/bin/rancid-run, it takes a few seconds, I have only one switch at the moment so I think it's working. But when I go to viewvc, I just have rev. 1.1, with nothing in, and I don't have a new one (like 1.2 ...) when I run it again. In my file router.db I just have this : { my IP xx.xx.xx.xx };cisco;up In my file .cloginrc I just added : add user xx.xx.xx.xx Test (it works when i connect with this user by ssh) ad password xx.xx.xx.xx password password (the password works for connection and enable) ad method xx.xx.xx.xx ssh Are my files ok? I'm sorry, I don't speak english very well, I hope you will understand ! Thank you. Elliot
Elliot -
Hello. Yes I put HP instead of cisco but it doesn't work ^^ I think this type of HP switch isn't supported by RANCID ! I'm not an expert too, so I will try to use anything else ^^ Thank you again for your answers and your tutorial ! Elliot
Thanks for the guide! I’ve got RANCID up and running but it doesn’t seem to actually be polling the devices and getting their configs. When I run /usr/local/rancid/bin/rancid-run it takes about 1 second to finish but I’ve got 9 different devices it should be logging into. When I check the ViewVC page the devices are not showing up individually but it does show the router.db file The logs for running RANCID manually just show: starting: Wed Sep 23 16:40:15 EDT 2015 ending: Wed Sep 23 16:40:15 EDT 2015 I can ssh to each device with the username I’ve made for RANCID from the server fine. Any ideas on what I’m missing? Thanks! Blake
Ryan -
Hey Blake, Did you follow another post I did about Installing Rancid? https://lewiryan.github.io/ciscoskills/2015/01/03/install-rancid-and-viewvc-on-centos-7/ Go over that and see if you are missing anything, you should see some cvs information and any errors/successes about devices in your router.db file. If you seeing blank logs it is likely rancid is not understanding the router.db file.
1# This is an example of a router.db fle in Rancid.
2
3#Location of File /usr/local/rancid/var/Routers/router.db
4
5#Type the Router name or IP followed by the type of device. (Rancid supports more than just Cisco)
6
7#Personally I think it looks better with DNS names.
8
9Router01.example.com;cisco;up;
10
11#You can also mark a device as down. This will cause Rancid to skip it.
12
13Router02.example.com;cisco;down;
14
15Router03.example.com;cisco;up;
16
17#Of course you can also comments throughout this file or alongside devices for notes.
18
19#Edge Switches for Computers at HQ
20
21Switch-HQ-Edge14.example.com;cisco;up; LOCATION: Server Rack A
22
23Switch-HQ-Edge07.example.com;cisco;up; LOCATION: Room 101
24
25Switch-HQ-Edge21.example.com;cisco;down; LOCATION: Building A (Under Construction)
Hope that Helps, Ryan
Thanks for the response, I see what I did in the router.db file. I had an older version of RANCID running and in that the router.db file used colons instead of semi-colons. I had copied the old router.db file to the new server running current version and that's why it didn't read the routers or log into any of them. Thanks for your help and this great guide!!
Ryan -
Hey Elliot, Check the logs by going to nano /usr/local/rancid/var/logs/ and scroll through it and see what it says. You can also test logins by using clogin since you are using Cisco equipment. On CLI login into rancid, su - rancid then run this command to connect to one of your devices /usr/local/rancid/bin/clogin (IP address/Name of device) hit enter. If it all works you should be connected to your equipment, if not it should give you an error and from there you could troubleshoot more. Hope that Helps. Ryan
Elliot -
Hi, thank you for the answer /usr/local/rancid/var/logs/ is empty .... I think it's a problem :) When i use /usr/local/rancid/bin/clogin, I don't have enough time to enter my password, and even if I'm fast enough and I enter the right password, I have an erroer : Authentication failed. I have probably made something wrong ! It's maybe a problem with the switch? Thank you Elliot
Elliot -
I checked my log file, obviously it's a password problem. I don't know why but it looks like it doesn't use the password that I give.... Because when I use /usr/local/rancid/bin/clogin I'm connected but when i use ssh I have this error : spawn ssh -c 3des -x -l rancid xx.xx.xx.xx Password: Password: Password: rancid@10.1.249.123's password: Connection closed by xx.xx.xx.xx When I use telnet : spawn telnet xx.xx.xx.xx Trying xx.xx.xx.xx... Connected to xx.xx.xx.xx. Escape character is '^]'. User Access Verification Password: % Authentication failed Password: Error: Check your passwd for xx.xx.xx.xx But i give the right password ... When I use the command : /usr/local/rancid/bin/clogin -u rancid -p password ( the same) xx.xx.xx.xx It works ! I'm connected to my switch, I have just an error for enable but it's because I don't give him the password. Thank you
Ryan -
Hey Elliot, Check your /home/rancid/.cloginrc file. If clogin is not working than there is something wrong with your .cloginrc file. Comment out everything in that file and just start at the bottom of the file with you own configuration. Hope that Helps. Ryan
Elliot -
I commented evrything except what I added... And now it works ! I looked for it one entire day, just for a problem of comment ^^ Thank you from France. :) Elliot
Elliot -
Hello it's me again! Now, it's working with a cisco switch, but not with HP switch :) I can connect to the switch without problem, but with hp switch the command to have access to the configuration is not "enable" but "_cmdline-mode" So when i use "/usr/local/rancid/bin/clogin I have this : Username:xxx Password: enable ^ % Unrecognized command found at '^' position. So i would like to modify something to make rancid uses "_cmdline-mode" and not enable, but I don't know how to do this :s I tried to use "add enableprompt" but I don't know if it's what this command do Thanks a lot. Elliot
Elliot -
Sorry for triple post but I can't edit my post ... In /usr/local/rancid/var/logs/ i have this : starting: jeu. févr. 11 11:10:58 CET 2016 hourly config diffs failed: /tmp/.Switchs.run.lock exists -rw-r-----. 1 rancid netadm 0 11 févr. 10:26 /tmp/.Switchs.run.lock ending: jeu. févr. 11 11:10:58 CET 2016 For my hp switch I have this in /.cloginrc: add user 10.1.249.59 {admin} add autoenable 10.1.249.59 1 add password 10.1.249.59 {admin} {password} add method 10.1.249.59 {telnet} I said in my last post that I need to use the command "_cmdline-mode" but I'm not sure that I have to use it to have access to the configuration of the switch. gG Anyway, Rancid doesn't work with my HP switch ! It's an HP 1920-8G Thank you
Ryan -
Hey Elliot, I know Rancid does support some HP hardware but I'm not entirely sure if your HP hardware is supported. In the router.db you put HP as the device instead of Cisco right? If that doesn't work its probably something you would have to modify in rancid and that is something I'm not an expert in. You could check out http://www.gossamer-threads.com/lists/rancid/announce/ and post/search for your question over there. Good Luck, I'm glad you at least got it working for your Cisco gear :) Ryan