Friday, May 31, 2013

Installing and configuring Rancid

If you have more than a couple devices in your network, you might find backing up conifig files to be a tedious task. If you have more than a handful (which most network admins will); it can become a quest..

This is where Rancid comes in, it's a small application for Linux which lets you automate the process You can also make it execute commands on the same remote devices automatically (good for clearing tunnels or other resets). It's also good because it supports Fortinet FortiGates (which for their all-in-one nature and cheapness are on the rise). But the most difficult thing I found was trying to get it installed and configured properly.

First you'll want to install your favourite flavour of linux; I'll be using Ubuntu simply due to it's popularity and available repositories.

Open up a terminal window and get to installin'
sudo apt-get install rancid
This will install Rancid onto your machine into /var/lib/rancid. It will also create a new user called rancid to be used with the application. I couldn't find any documentation on what the default password is for this user (however at least one person suggested it was rancid, that didn't work for me) so we'll want to go ahead and change it.
sudo passwd rancid
You'll be prompted to input a new password and confirm it, for simplicity's sake I just stuck with rancid.

Now we can start to configure Rancid itself. It nests devices in groups, you can execute commands to a group as a whole which makes management a lot easier. To add a group you'll have to edit the rancid.conf file, you can find this in /etc/rancid/

You'll see a bunch of commented lines in there already; we need to add one to the bottom. If you're not familiar with VI, use the arrow keys to get down to the line you want to input on, press i to enter INSERT mode and begin typing. Once you're finished, hit ESC and type :wq to write to the file and quit VI and return to the terminal.
vi /etc/rancid/rancid.conf    LIST_OF_GROUPS="toronto montreal vancouver"   :wq
Each group name is seperated by blank space, you can put in as many as you like; we'll be adding our devices to these groups afterwards.

Now that we have our groups in order, we need to generate the CVS files for them. We'll want to run this command as our rancid user.
sudo su -c /var/lib/rancid/bin/rancid-cvs -s /bin/bash -l rancid
This will generate a directory for each of the groups you defined earlier in /var/lib/rancid/
Each directory will contain a router.db file, this is where we'll be storing our device information
So back into VI we go!
sudo vi /var/lib/rancid/toronto/router.db
The router.db files have a specific syntax and if you mess it up, it won't work; so be careful!
For a basic entry you'll need to input the following
#toronto-c1811
192.168.2.1:cisco:up
This will point at a Cisco device with the IP of 192.168.2.1 and tell Rancid that the device is up. Each variable is separated by a colon. If the status is set to down the script will ignore that device. Rancid supports the use of FQDNs in place of IP addresses, however I do not use them. Lines beginning with # are comments, it would be good habit to comment each device you add (even if you're using an FQDN). For the entire list of options refer to the man page from Shrubbery Networks

So Rancid knows where to find our devices, but like hell it'll be able to login; so we need to define that as well. Rancid keeps all it's login information in .cloginrc located in /var/lib/rancid/. When I installed Rancid, this file wasn't auto-generated (apparently there's a sample-cloginrc but I wasn't able to find it on my machine) so I had to create it with VI:
sudo vi /var/lib/rancid/.cloginrc
Quick linux note: anything starting with a period is a "hidden" file and will not show up with ls

We should have a blank VI file open right now, get into INSERT mode and put in your box's login creds.
add method 192.168.2.1 ssh
add user 192.168.2.1 cisco
add password 192.168.2.1 cisco cisco
The first line will define what protocol to connect with, in the case you have SSH and Telnet enabled (which I would advise against but whatever)
You can put in:
add method 192.168.2.1 ssh telnet
Rancid will first attempt to connect on SSH, then fall back to Telnet in the event of a failure. The second line is the username, and the third is both the password and the enable password. Now there is a lot of other options you can put here which I don't personally use, but feel free to browse them on the man page.

I found that for Rancid to run we'll have to give our rancid user ownership of rancid install directory and turn our new login file into read/writeble (but not exedcuteable) only by it's owner (which we're about to make rancid)
sudo chmod 600 /var/lib/rancid/.cloginrcsudo 
chown -R rancid:rancid /var/lib/rancid
Now we're ready to run Rancid!
sudo su -c /var/lib/rancid/bin/rancid-run -s /bin/bash -l rancid
It should take a little bit to run (depending on how many devices you have an how big their config files are)
Once it's finished you can check the log in /var/log/rancid and check your config file in /var/lib/rancid/toronto/configs/192.168.2.1

And thats it! Put it on a cron job and you'll never have to do it manually again.

Observium Integration

This was a very annoying task to get to work, but once it's work its bloody brilliant.
You'll have to do things a little differently because Observium uses hostnames opposed to IP addresses for adding devices. So I went and edited my /etc/hosts file to reflect the devices I was adding.

Open your config file for Observium and point towards your Rancid configs:
vi /opt/observium/config.php 
$config['rancid_configs'][]              = '/var/lib/rancid/toronto/configs/';
$config['rancid_ignorecomments']        = 0;
Now provided your config files are showing up with hostnames opposed to IP addresses. Everything should  work. However this is where I got stuck, and it's the most linux of problems; user groups. Observium will be accessing the Rancid config  using the apache's www-data user, which isn't in our rancid user group.
usermod -a -G rancid www-data
Now once you restart your apache service (service apache2 restart) you should be good to go! You'll know its working because Observium will add a config tab to the device page.

NOTE: I had installed Rancid on top of Turnkey's Observium distro and found that telnet was not installed by default; apt-get install telnet to fix.