Agenda: rancid-exercise.txt

File rancid-exercise.txt, 16.0 KB (added by carmas, 6 years ago)

Line
1	Network Management & Monitoring
2
3	Using RANCID
4	============
5
6	Notes:
7	------
8	* Commands preceded with "$" imply that you should execute the command as
9	a general user - not as root.
10	* Commands preceded with "#" imply that you should be working as root.
11	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
12	imply that you are executing commands on remote equipment, or within
13	another program.
14
15	Exercises
16	---------
17
18	1. Connect to your PC using ssh
19
20	2. Become root, and install the Subversion Version Control System:
21
22	In addition to Subversion we will specify to install telnet and the mutt
23	email client. Both these package may already be installed from prior
24	exercises. If so, don't worry - the apt-get command will not reinstall
25	them.
26
27	$ sudo bash
28	# apt-get install subversion telnet mutt
29
30	3. Install Rancid itself
31
32	# apt-get install rancid
33
34	- It will prompt with a warning - Select <OK> and press ENTER to continue.
35	- It will give you another warning about making a backup copy of your
36	rancid data. We have no data, so select <YES> and press ENTER to continue.
37
38	4. Add an alias for the rancid user in /etc/aliases file
39
40	# editor /etc/aliases
41
42	rancid-all: sysadm
43	rancid-admin-all: sysadm
44
45	Save the file, then run:
46
47	# newaliases
48
49	5. Edit /etc/rancid/rancid.conf
50
51	# editor /etc/rancid/rancid.conf
52
53	Find this line in rancid.conf:
54
55	#LIST_OF_GROUPS="sl joebobisp"
56
57	And, underneath it add the following line:
58
59	LIST_OF_GROUPS="all"
60
61	(with no '#' at the front of line, and aligned to the left)
62
63	We want to use Subversion for our Version Control System, and not CVS, so find the
64	line with the parameter RCSSYS:
65
66	RCSSYS=cvs; export RCSSYS
67
68	And, change it to:
69
70	RCSSYS=svn; export RCSSYS
71
72	and the line with CVSROOT:
73
74	CVSROOT=$BASEDIR/CVS; export CVSROOT
75
76	And, change it to:
77
78	CVSROOT=$BASEDIR/svn; export CVSROOT
79
80	Note the lowercase "svn". Now exit and save the file.
81
82
83	6. Change to the rancid user
84
85	###################################################################
86	#
87	# CRITICAL! CRITICAL! CRITICAL!
88	#
89	###################################################################
90
91	Pay very close attention to what userid you are using during the rest of these exercises.
92	If you are not sure simply type "id" on the command line at any time.
93
94	From a root prompt ("#"), switch identity to become the 'rancid' user:
95
96	# su -s /bin/bash rancid
97
98	Check that you ARE the rancid user:
99
100	$ id
101
102	You should see something similar (numbers may be different):
103
104	uid=104(rancid) gid=109(rancid) groups=109(rancid)
105
106	###################################################################
107
108	*** IF YOU ARE NOT USER RANCID NOW, do NOT continue ****
109
110	###################################################################
111
112	7. Create /var/lib/rancid/.cloginrc
113
114	$ editor /var/lib/rancid/.cloginrc
115
116	Add the following two lines to the file:
117
118	add user *.ws.nsrc.org cisco
119	add password *.ws.nsrc.org nsrc+ws nsrc+ws
120
121	(The first 'cisco' is the username, the first and second 'nsrc+ws' are the
122	password and enable password used to login to your router. The star in the name
123	means that it will try to use this username and password for all routers
124	whose names end .ws.nsrc.org)
125
126	Exit and save the file.
127
128	Now protect this file so that it cannot be read by other users:
129
130	$ chmod 600 /var/lib/rancid/.cloginrc
131
132
133	8. Test login to the router of your group
134
135	Login to your router with clogin. You might have to type yes to the first warning, but
136	should not need to enter a password, this should be automatic.
137
138	$ /var/lib/rancid/bin/clogin rtrX.ws.nsrc.org
139
140	(replace X with your group number. So, group 1 is rtr1.ws.nsrc.org)
141
142	You should get something like:
143
144	spawn ssh -c 3des -x -l cisco rtr2.ws.nsrc.org
145	The authenticity of host 'rtr2.ws.nsrc.org (10.10.2.254)' can't be established.
146	RSA key fingerprint is 73:f3:f0:e8:78:ab:49:1c:d9:5d:49:01:a4:e1:2a:83.
147	Are you sure you want to continue connecting (yes/no)?
148	Host rtr1.ws.nsrc.org added to the list of known hosts.
149	yes
150	Warning: Permanently added 'rtr1.ws.nsrc.org' (RSA) to the list of known hosts.
151	Password:
152
153	rtr1>enable
154	Password:
155	rtr1#
156
157	Exit the from the router login:
158
159	rtr2#exit
160
161
162	9. Initialize the SVN repository for rancid:
163
164	Make sure you are the rancid user before doing this:
165
166	$ id
167
168	If you do not see something like "uid=108(rancid) gid=113(rancid) groups=113(rancid)"
169	then DO NOT CONTINUE until you have become the rancid user. See exercise 6 for
170	details.
171
172	Now initialize the Version Control repository (it will use Subversion):
173
174	$ /usr/lib/rancid/bin/rancid-cvs
175
176	You should see something similar to this:
177
178	Committed revision 1.
179	Checked out revision 1.
180	At revision 1.
181	A configs
182	Adding configs
183
184	Committed revision 2.
185	A router.db
186	Adding router.db
187	Transmitting file data .
188	Committed revision 3.
189
190	****** Do this ONLY if you have problems *****
191
192	If this does not work, then either you are missing the subversion package, or
193	something was not properly configured during the previous steps. You should verify
194	that subversion is installed and then before running the rancid-cvs command again
195	do the following:
196
197	$ exit
198	# apt-get install subversion
199	# su -s /bin/bash rancid
200	$ cd /var/lib/rancid
201	$ rm -rf all
202	$ rm -rf svn
203
204	Now try running the rancid-cvs command again:
205
206	$ /usr/lib/rancid/bin/rancid-cvs
207
208	*****************************************************
209
210	10. Create the router.db file
211
212	$ editor /var/lib/rancid/all/router.db
213
214	Add this line:
215
216	rtrX.ws.nsrc.org:cisco:up
217
218	(remember to replace X as appropriate)
219
220	Exit and save the file.
221
222	11. Let's run rancid!
223
224	$ /usr/lib/rancid/bin/rancid-run
225
226	This will take a few moments so be patient.
227
228	Run it again, since the first time it might not commit correctly:
229
230	$ /usr/lib/rancid/bin/rancid-run
231
232	12. Check the rancid log files:
233
234	$ cd /var/lib/rancid/logs
235	$ ls -l
236
237	... View the contents of the file(s):
238
239	$ less all.*
240
241	NOTE! Using "less" - to see the next file press ":n". To see the Previous
242	file press ":p". To exit from less press "q".
243
244	13. Look at the configs
245
246	$ cd /var/lib/rancid/all/configs
247	$ less rtrX.ws.nsrc.org
248
249	Where you should replace "X" with your group number.
250
251	If all went well, you can see the config of the router.
252
253	14. Let's change an interface Description on the router
254
255	$ /usr/lib/rancid/bin/clogin rtrX.ws.nsrc.org
256
257	Where you should replace "X" with your group number.
258
259	At the "rtrX#" prompt, enter the command:
260
261	rtrX# conf term
262
263	You should see:
264
265	Enter configuration commands, one per line. End with CNTL/Z.
266	rtrX(config)#
267
268	Enter:
269
270	rtrX(config)# interface LoopbackXX (replace XX with your PC no)
271
272	You should get this prompt:
273
274	rtrX(config-if)#
275
276	Enter:
277
278	rtr2(config-if)# description <put your name here>
279	rtr2(config-if)# end
280
281	You should now have this prompt:
282
283	rtrX#
284
285	To save the config to memory:
286
287	rtrX# write memory
288
289	You should see:
290
291	Building configuration...
292	[OK]
293
294	To exit type:
295
296	rtrX# exit
297
298	Now you should be back at your rancid user prompt on your system:
299
300
301	15. Let's run rancid again:
302
303	$ /usr/lib/rancid/bin/rancid-run
304
305	Look at the ranicd logs
306
307	$ ls /var/lib/rancid/logs/
308
309	You should see the latest rancid execution as a new log file with the date
310	and time in the name.
311
312	16. Let's see the differences
313
314	$ cd /var/lib/rancid/all/configs
315	$ ls -l
316
317	You should see the router config file for your group:
318
319	$ svn log rtrX.ws.nsrc.org
320
321	(where X is the number of your router)
322
323	Notice the revisions. Let's view the difference between two versions:
324
325	$ svn diff -r 5:7 rtrX.ws.nsrc.org \| less
326
327	... can you find your changes?
328
329	Notice that svn is the Subversion Version Control system command line
330	tool for viewing Subversion repositories of information. If you type:
331
332	$ ls -lah
333
334	You will see a hidden directory called ".svn" - this actually contains all the
335	information about the changes between router configurations from each time you
336	run rancid using /usr/lib/rancid/bin/rancid-run.
337
338	Whatever you do, don't edit or touch the .svn directory by hand!
339
340
341	17. Check your mail
342
343	Now we will exit from the rancid user shell and the root user shell to go
344	back to being the "sysadm" user. Then we'll use the "mutt" email client to
345	see if rancid has been sending emails to the sysadm user.
346
347	$ exit (takes your from rancid to root user)
348	# exit (take you from root to sysadm user)
349	$ id
350	... check that you are now the 'sysadm' user again;
351
352	... if not, log out and in again as sysadm to your virtual host
353
354	$ mutt
355
356	(When asked to create the Mail directory, say Yes)
357
358	If everything goes as planned, you should be able to read the mails
359	sent by Rancid. You can select an email sent by "rancid@pcX.ws.nsrc.org"
360	and see what it looks like.
361
362	Notice that it is your router description and any differences from the last
363	time it was obtained using the rancid-run command.
364
365	Now exit from mutt.
366
367	(use 'q' return to mail index, and 'q' again to quit mutt)
368
369	18. Let's make rancid run automatically every 30 minutes from using cron
370
371	cron is a system available in Linux to automate the running of jobs. First we
372	need to become the root user again:
373
374	$ sudo bash
375
376	Now we will create a new job to run for the rancid user:
377
378	# crontab -e -u rancid
379
380	It will ask you for your favorite editor. Select whichever editor you have been
381	using in class.
382
383	Add this line at the bottom of the file (COPY and PASTE):
384
385	/30 * * * /usr/lib/rancid/bin/rancid-run
386
387	... then save and quit from the file.
388
389	That's it. The command "rancid-run" will execute automatically from now on every
390	30 minutes all the time (every day, week and month).
391
392
393	19. Now add all the other routers
394
395	Note the addresses for the routers
396
397	rtrX.ws.nsrc.org where X goes from 1 to 9
398
399	If you have less routers in your class, then only include the actual, available
400	routers.
401
402	Become the rancid user and update the router.db file:
403
404	# su -s /bin/bash rancid
405	$ editor /var/lib/rancid/all/router.db
406
407	Add the other classroom routers to the file. You should end up with
408	something like (COPY and PASTE):
409
410	rtr1.ws.nsrc.org:cisco:up
411	rtr2.ws.nsrc.org:cisco:up
412	rtr3.ws.nsrc.org:cisco:up
413	rtr4.ws.nsrc.org:cisco:up
414	rtr5.ws.nsrc.org:cisco:up
415	rtr6.ws.nsrc.org:cisco:up
416	rtr7.ws.nsrc.org:cisco:up
417	rtr8.ws.nsrc.org:cisco:up
418	rtr9.ws.nsrc.org:cisco:up
419
420	(Note that "cisco" means this is Cisco equipment -- it tells Rancid
421	that we are expecting to talk to a Cisco device here. You can also
422	talk to Juniper, HP, ...).
423
424	Be sure the entries are aligned to the left of the file.
425
426	20. Run rancid again:
427
428	$ /usr/lib/rancid/bin/rancid-run
429
430	This should take a minute or more now, be patient.
431
432	21. Check out the logs:
433
434	$ cd /var/lib/rancid/logs
435	$ ls -l
436
437	... Pick the latest file and view it
438
439	$ less all.YYYYMMDD.HHMMSS
440
441	This should be the last file listed in the output from "ls -l"
442
443	You should notice a bunch of statements indicating that routers have been
444	added to the Subversion version control repository, and much more.
445
446	22. Look at the configs
447
448	$ cd /var/lib/rancid/all/configs
449	$ more *.ws.nsrc.org
450
451	Press the SPACE bar to continue through each file. Or, you could do:
452
453	$ less *.ws.nsrc.org
454
455	And press the SPACE bar to scroll through each file and then press ":n" to
456	view the next file. Remember, in both cases you can press "q" to quit at
457	any time.
458
459	If all went well, you can see the configs of ALL routers
460
461	23. Run RANCID again just in case someone changed some configuration on the router
462
463	$ /usr/lib/rancid/bin/rancid-run
464
465	This could take a few moments, so be patient....
466
467
468	23. Play with clogin:
469
470	$ /usr/lib/rancid/bin/clogin -c "show clock" rtrX.ws.nsrc.org
471
472	Where "X" is the number of your group.
473
474	What do you notice ?
475
476	Even better, we can show the power of using a simple script to make changes
477	to multiple devices quickly:
478
479	$ editor /tmp/newuser
480
481	... in this file, add the following commands (COPY and PASTE):
482
483	configure terminal
484	username NewUser secret 0 NewPassword
485	exit
486	write
487
488	Save the file, exit, and run the following commands from the command line:
489
490	$ for r in 1 2 3 4
491
492	Your prompt will now change to be ">". Continue by typing:
493
494	> do
495	> /var/lib/rancid/bin/clogin -x /tmp/newuser rtr$r.ws.nsrc.org
496	> done
497
498	Now your prompt will go back to "$" and rancid clogin command will run and
499	execute the commands you just typed above on routers rtr1, rtr2, rtr3 and
500	rtr4. This is simple shell scripting in Linux, but it's very powerful.
501
502	Q. How would you verify that this has executed correctly ? Hint: "show run \| inc"
503
504	A. Connect to rtr1, rtr2, rtr3 and rtr4. Type "enable" and then type
505	"show run \| inc username" to verify that the NewUser username now exists.
506	Type exit to leave each router. Naturally you could automate this like we just
507	did above.
508
509
510	24. Add the RANCID SVN (Subversion) repository in to WebSVN
511
512	If you are still logged in as user rancid, get back to root. Remember you can type
513	"id" to check what userid you are.
514
515	$ exit
516	#
517
518	Install WebSVN:
519
520	# apt-get install websvn
521	* Select <Yes> to the question if you want to configure WebSVN now and press ENTER
522	* Select <Ok> for the next question about supporting various web servers and press
523	ENTER
524	* When asked for the "svn parent repositories" change the path to be:
525
526	/var/lib/rancid/svn
527
528	Select <Ok> and press ENTER. Do the same when asked about "svn repositories" on
529	the next screen. That is, use the path:
530
531	/var/lib/rancid/svn
532
533	and not what is shown by default. Select <Ok> and press ENTER.
534	* Select <Ok> for the next screen talking about permissions and press ENTER.
535
536	25. Fix permissions. The web server must be able to read the SVN (Subversion) folder
537
538	# chgrp -R www-data /var/lib/rancid/svn
539	# chmod g+w -R /var/lib/rancid/svn
540
541
542	26. Browse the rancid files from your Web browser!
543
544	http://pcX.ws.nsrc.org/websvn
545
546	Browse the files under the 'all/configs' directory.
547	You can see all your router configuration files here.
548
549
550	27. Review revisions
551
552	WebSVN lets you see easily the changes between versions.
553
554	* Browse to http://pcXXX.ws.nsrc.org/websvn again, go to all, configs.
555	* Click on your router file (rtrX.ws.nsrc.org) name. You will get a new screen
556	* Click "Compare with Previous" at the top of the screen.
557	* You should now see the latest changes highlighted.
558
559	Click on "REPOS 1" to back to the main WebSVN page:
560
561	* Click on "all/" under "Path"
562	* Click on "configs/"
563	* Select two of the routers that are next to each other. I.E. rtr1 and rtr2, rtr3 and
564	rtr4.
565	* Click on Compare Paths
566
567	This will show you the differences between two separate router configurations.
568
569	WebSVN is a convenient way to quickly see differences via a GUI between mulitple
570	configuration files. Note, this is a potential security hole so you should limit
571	access to the URL http://host/websvn using passwords (and SSL) or appropriate
572	access control lists.
573
574
575	+----
576	Rev. 12 Oct 2012