Rancid and JunOS

Rancid is a collection of perl bits which are able to login to various network devices and extract their configurations.

It then uses version control and checks in the current (just extracted) configuration into version control for tracking purposes. With the proper interface to your version control, you can easily see when changes are made. Due to the nature of how Rancid works (pull model) it can’t know who made the changes, but at least you’ll be able to see what changed, and when it happened.

Using Rancid to backup a JunOS device

Configuration management is important. Having the visibility on your network to know not only if something changed, but exactly what changed, and when it changed can keep you from spending hours debugging something. Rancid can be configured (cron) to check your devices every 5min for changes, and then log those changes using version control. Once your configs are stored in version control, you have the visibility to know what changed, and when it changed.

Configuring JunOS

We need to create a user for rancid to login as, and a class to define which privileges to grant our user.

 1	set system login class RANCID permissions access
 2	set system login class RANCID permissions admin
 3	set system login class RANCID permissions firewall
 4	set system login class RANCID permissions flow-tap
 5	set system login class RANCID permissions interface
 6	set system login class RANCID permissions network
 7	set system login class RANCID permissions routing
 8	set system login class RANCID permissions secret
 9	set system login class RANCID permissions security
10	set system login class RANCID permissions snmp
11	set system login class RANCID permissions storage
12	set system login class RANCID permissions system
13	set system login class RANCID permissions trace
14	set system login class RANCID permissions view
15	set system login class RANCID permissions view-configuration
16	set system login user rancid full-name RANCID
17	set system login user rancid uid 2001
18	set system login user rancid class RANCID
19	set system login user rancid authentication ssh-ecdsa "ssh_key_text_here"

Installing rancid

rancid is pretty straight forward to install. You can do either of the following:

1pkg install rancid

or

1cd /usr/ports/networking/rancid && sudo make install clean

After installing rancid, you may need to create the rancid user. You can do that with:

1sudo pw useradd rancid
2sudo passwd rancid

Configuring rancid

Rancid offers the ability to store device passwords in its config file. I know that in many ways, the network world is behind, but this is a bad idea. An attacker could simply compromise your rancid box and have passwords for the entire network. Fortunately, Juniper devices don’t require passwords. They can take advantage of ssh public keys. This means you can generate a key-pair and copy the public key to the network device. No more password required. We’ve already restricted the rancid user in JUNOS so they can’t do any damage (no write access), so we’ve minimized the damage as much as we can.

If your version of JunOS doesn’t support ecdsa , just use rsa for now (and upgrade so you can take advantage of shiny new crypto).

There are a handful of config files to edit/create. Defaults are in /usr/local/share/rancid. A .cloginrc file needs to exist in ~rancid. It should be set with permissions of 600 (rancid will complain and refuse to run if you don’t do this). The relevant bits look like this:

1# Only use SSH
2add password    *       1
3add user        *       rancid
4add method      *       ssh
5add identity    *       /var/rancid/.ssh/id_ecdsa

Password is not used, but rancid whines with out it, so just make something up and assign it.

The rancid config file is in /usr/local/etc/rancid/. Stripping out all the comments in rancid.conf, it looks like this (after I’ve modified it):

 1TERM=network;export TERM
 2LC_COLLATE="POSIX"; export LC_COLLATE
 3umask 027
 4TMPDIR=/tmp; export TMPDIR
 5BASEDIR=/var/rancid; export BASEDIR
 6PATH=/usr/local/libexec/rancid:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/bin; export PATH
 7CVSROOT=/svn/rancid; export CVSROOT
 8LOGDIR=$BASEDIR/logs; export LOGDIR
 9RCSSYS=svn; export RCSSYS
10FILTER_PWDS=YES; export FILTER_PWDS
11NOCOMMSTR=YES; export NOCOMMSTR
12LIST_OF_GROUPS="rancid"
13MAILDOMAIN="@dom.tld"; export MAILDOMAIN

Create the directory /var/rancid. Set ownership to rancid. Create the directory /svn/rancid. Set ownership to rancid. You should now be able to (as user rancid), run rancid-run, and then rancid-cvs. It should create some directories in /var/rancid: logs, rancid, and it should populate /svn/rancid with a new repo. You should be able to edit /var/rancid/rancid/router.db and add a line like this:

1# <device_name>;<device_type>;<state>[;comments]
2switch1.cmhome:junos:up

Re-run rancid-run and you should see a new file show up in /var/rancid/rancid/configs/192.168.0.1 which contains the config of your juniper device. The first 20 lines of mine look like this:

 1#RANCID-CONTENT-TYPE: juniper
 2#
 3# switch1.cmhome> show chassis clocks 
 4# switch1.cmhome> show chassis environment 
 5# Class Item                           Status
 6# Power FPC 0 Power Supply 0           OK        
 7# Temp  FPC 0 GEPHY1                   OK        
 8#       FPC 0 GEPHY2                   OK        
 9#       FPC 0 GEPHY3                   OK        
10#       FPC 0 GEPHY4                   OK        
11# 
12# switch1.cmhome> show chassis firmware 
13# Part                     Type       Version
14# FPC 0                    uboot      U-Boot 1.1.6 (Jun 29 2011 - 11:08:23)   1.0.0
15#                          loader     FreeBSD/arm U-Boot loader 1.1              
16# 
17# switch1.cmhome> show chassis fpc detail 
18# Slot 0 information:
19#   State                               Online    
20#   Total CPU DRAM                  512 MB

If you want to store things as ‘set’ commands, as opposed to a heirarchy, edit /usr/local/etc/rancid/rancid.types.base

1juniper;command;junos::ShowConfiguration;show configuration

Add ‘| display set’ on the end so it looks like this:

1juniper;command;junos::ShowConfiguration;show configuration | display set

With all this working, you can now cron an entry for rancid-run. It should look something like this (/etc/crontab):

1# RANCID
2# clean up after rancid. don't need more than 30 days worth of log files cluttering things up
31	*	*	*	*	/usr/bin/find /var/rancid/logs/ -type f -cmin +120 -delete
4
5# do a rancid-run every */30min
6*/30      *       *       *       *       /usr/local/bin/rancid-run > /dev/null

Installing and configuring websvn

I chose a web frontend called websvn. Its written in PHP which sucks, but I’m only using it internally. For the web server, I used nginx. I built php with fpm support and configured nginx to talk to the php-fpm process as shown below. Enabling php-fpm in /etc/rc.conf:

Here is the nginx snippit for websvn and php-fpm:

 1	location /websvn {
 2		alias /usr/local/www/websvn;
 3		index index.php;
 4	}
 5	location ~ \.php {
 6		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 7		set $path /usr/local/www/nginx;
 8		if ($request_uri ~* /websvn) {
 9			set $path /usr/local/www;
10		}
11		fastcgi_param SCRIPT_FILENAME $path$fastcgi_script_name;
12		fastcgi_pass backend;
13		include fastcgi_params;
14	}
15	upstream backend {
16		server 127.0.0.1:9000;
17	}

Edit the /usr/local/www/websvn/includes/config.php and define where your SVN repo is (I used /svn/rancid). Start up your services (php-fpm, nginx), and point your browser at http://yourserver/websvn . You should see the websvn interface, a config directory with your juniper device config named 192.168.0.1, and your router.db file.


Footnotes and References

Copyright

Comments