The underlying goal at work this month is to get some much needed insight and auditing abilities into our network. I have looked at Rancid before, and after doing some research I finally decided to take the plunge and implement it into our network.
The steps below assume that you are running Ubuntu Server 8.04.3 LTS i386 with a standard LAMP installation. They may work with other Debian based distributions, but your mileage may vary. For this installation I will be using Rancid version 2.3.2, which is the current stable release at the time that I wrote this article. I encourage you to check the Shrubbery web site and get the latest release that is available. Additionally, this article will go into a bit more detail about using Rancid with various HP Procurve equipment.
It would be a lie to say I figured out all of these steps on my own. Some of it was trial and error, other information I found in various places on the Internet. Tweets from Jeremy over at Evil Routers gave me the needed insight on editing the hrancid file to support some of the newer Procurve equipment.
Rancid Installation
After your base LAMP system is installed, you need to install some packages that are required to install and run rancid. You can combine these commands into one line, but I broke them out into two lines to show that the second line begins the actual Rancid dependencies.
apt-get install gcc make libc6-dev
apt-get install expect cvs
Next, create a user that will run Rancid. This user’s home directory will be used as the install path and CVS repository for Rancid. For simplicity’s sake I have used the user name “rancid”, but you can use anything.
adduser –home /home/rancid rancid
Download the latest rancid source archive using wget.
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2.tar.gz
Copy the archive to /usr/src and extract the contents.
cp rancid-2.3.2.tar.gz /usr/src
cd /usr/src
tar xvfz rancid-2.3.2.tar.gz
cd rancid-2.3.2
Configure and install Rancid. Note that we are providing arguments for specific installation directories.
./configure -prefix=/home/rancid -localstatedir=/home/rancid/var/rancid
make install
Since the previous commands were issued by the root user, we need to change ownership of /home/rancid back to the rancid user.
chown -R rancid:rancid /home/rancid
Rancid Configuration
Edit /home/rancid/etc/rancid.conf and look for the following line (which is probably commented out):
LIST_OF_GROUPS=”"
There will probably be text between the quotes which you will delete. The group names you provide will be your CVS groups, and will translate into folders when viewing the repository with CVSweb. In my case I choose to create a group for each building I manage. Once everything is running, each building’s folder will contain the network devices in that building as well as their configuration files. Below is an example of a list of groups. Each group is seperated from the previous group name with a space.
LIST_OF_GROUPS=”Philadelphia Boston Miami Burbank”
Edit the /home/rancid/.cloginrc file. This contains the login information for your switches. If you use AAA/Radius to authenticate users that manager network equipment, your job is easy. All you have to do is provide a username and password for every device like so:
add user * {ranciduser}
add password * {ranciduserpassword}
add autoenable * 1
The first two lines are self-explanatory. The asterisk is a wild card meaning all or every device. The last line tells Rancid that the authentication information provided automatically drops the user into enable mode.
Since the cloginrc file contains passwords, you want to change its permissions to ensure only the rancid user can access this file.
chmod 600 .cloginrc
chown rancid:rancid .cloginrc
Now we run the rancid-cvs command, which will create the CVS groups based on the “LIST_OF_GROUPS” we created earlier. It is important that you run this command as the rancid user.
su – rancid
/home/rancid/bin/rancid-cvs
Next, edit the router.db files for each group. There is a seperate router.db file for each group. The groups are located in the /home/rancid/var/rancid directory (each group has its own folder). The router.db files tell rancid the IP address or hostname of the device, the device manufacturer, and the status of the device. For example
192.168.1.2:hp:up
If you use a hostname instead of an IP address, be sure the server running Rancid is able to resolve the hostnames. For newer HP Procurve devices, you will set the manufacturer to “hp”. This works for 5400zl and 8200zl models as well as older model stackables (3400, 2524, etc). If you have a switch that was manufactured by Foundry, such as the Procurve 9308, set the manufacturer to “foundry”. Rancid will only process the device if the status is set to “up”. Any other status will cause the device to be skipped.
Edit hrancid File
The newer Procurve models no longer support the “show system-information” command, instead this command has been changed to “show system”. Luckily this command is specific enough that when it is issued on older switches that still use “show system-information”, it translates properly. In order to support the newer switches, we need to edit the “hrancid” file located in /home/rancid/bin. Once you have the file open, look for the following block of code:
@commandtable = (
{‘show version’ => ‘ShowVersion’},
{‘show flash’ => ‘ShowFlash’},
{‘show system-information’ => ‘ShowSystem’},
{‘show system information’ => ‘ShowSystem’},
{‘show module’ => ‘ShowModule’},
{‘show stack’ => ‘ShowStack’},
{‘write term’ => ‘WriteTerm’}
);
You need to change “show system-information” to “show system”. The “show system information” line does not need to be modified.
Run Rancid
Now we will run Rancid for the first time. Again, we are going to need to do this as the rancid user. Be patient, as this command can take some time to complete if you have a large number of devices.
su – rancid
/home/rancid/bin/rancid-run
Install & Configure CVSweb
CVSweb will provide a web interface where you can view the configuration files for your network devices in addition to performing diffs on the files to see what has changed. Installing CVSweb is simple.
apt-get install cvsweb
After the installation is complete, edit the /etc/cvsweb/cvsweb.conf file to point CVSweb to your Rancid CVS repository.
@CVSrepositories = (
#’local’ => ['Local Repository', '/var/lib/cvs'],
‘MNSD’ => ['MNSD Devices', '/home/rancid/var/rancid/CVS'],
);
I usually comment out the “local” line with a pound, just to make navigation a bit easier (since in my case the local repository is not used.
Create a link to in the www directory that points to the location of the CVSweb icons.
ln -s /usr/share/cvsweb /var/www/cvsweb
You can now access your repository using the following URL: http://YOUR_SERVER/cgi-bin/cvsweb
Rancid Automation
Now that everything is working properly, we want to make sure Rancid runs automatically every so often. We will do this by editing the /etc/crontab file and adding the following lines.
1 12,23 * * * rancid /home/rancid/bin/rancid-run
50 23 * * * rancid /usr/bin/find /home/rancid/var/rancid/logs -type f -mtime +2 -exec rm {} \;
The first line runs Rancid at 12:00 PM and 12:00 AM. Carefully choose your intervals, because the number of devices you are running Rancid against and the size of the config on each device will increase the run time. The second line periodically clears the configuration differ log files.
There you have it! You should now have a working version of Rancid!
On the “Customize Menu Bars” page, I choose to edit the admin menu bar by clicking the “Edit” button under the menu bar. If you want different groups of users to see this link, you may have to edit different or multiple menu bars.
On the edit menu bar page, click the “Add” button that appears towards the bottom of the page.
This will open the dialog box shown below.
Fill in the name and description fields as you see fit. Next, uncheck the “Open in a New Window” option box. In the URL field type the following: