Getting RANCID on FreeBSD

Chris Boyd <clb@midasnetworks.com>

RANCID - Really Awesome New Cisco confIg Differ (http://www.shrubbery.net/rancid/) - is a configuration management tool for Cisco routers and Catalyst switches, as well as equipment from Alteon, Bay Networks, Extreme, Force 10 Networks, Foundry, HP, Juniper and Redback. It works by periodically connecting to your device (telnet, SSH, or rlogin) and recording the configuration. Any differences are flagged using diff and emailed to you and saved in CVS.

Installation is simple, since RANCID is part of the ports collection. You'll find it in /usr/ports/net/rancid, so the usual "make install clean" will get you going. RANCID installs into /usr/local/rancid. Take a look at the README for late breaking news.

I'm going to show a quick configuration to help get RANCID up and running with a test Cisco 2600.

Configuration

Create a user to run RANCID

I prefer to run programs like RANCID as a user. I had already created a user to run MRTG, and decided to add RANCID to this user. This user name is "mrtg", and the password is starred out.

Edit the log in information

RANCID needs to know password and IP info to be able to log in on the boxes and retrieve the configs. These are stored in a file in the user's home directory called ".cloginrc". There's a sample in /usr/local/rancid. Create and edit the "cloginrc" file in the user's home directory and add the information needed -- a fully qualified domain name or IP address, vty password, and enable password. My config looks like this:

	add password 192.168.0.250 vtypass enpass

Save the file. Check the permissions on the file. It should be set to 600 and owned by mrtg to keep random users from reading your router passwords.

	-rw-------  1 mrtg  mrtg   3465 Dec 16 09:59 .cloginrc

Set up the environment

RANCID uses groups to be able to notify various people about changes. If you have a big network, you may have a bunch of people that do just backbone configs and a different group that does access configs. RANCID builds its group information from that found in the "env" file in /usr/local/rancid/bin. Copy the "env.new" file to "env" and edit. All the defaults seem reasonable for FreeBSD, so the only change that I made was

	LIST_OF_GROUPS="testgroup"

Save the file. You will also need to import this into the startup script for your user. I inserted them in ".profile" for user "mrtg".

Test the log on

If all's well so far, you should be able to test the ability of your user to log in to your router automatically. Switch to your "mrtg" user and run the command "clogin 192.168.0.250". If all works well, you should get something like this:

	-su-2.05b$ clogin 192.168.0.250
	192.168.0.250
	spawn telnet 192.168.0.250
	Trying 192.168.0.250...
	Connected to 192.168.0.250.
	Escape character is '^]'.
	
	
	User Access Verification
	
	Password: Kerberos:     No default realm defined for Kerberos!
	
	Midas_Test_>enable
	Password:
	Midas_Test_#
	Midas_Test_#

Log out of your router.

Set up the email aliases

RANCID sends notification using email aliases. You'll need two aliases for each group that you create. Edit "/etc/aliases" and make changes as appropriate. My setup is this:

	# Added for rancid. rancid-testgroup:       clb rancid-admin-testgroup:
	clb

When done, run "newaliases" to update the sendmail config.

Test your aliases by mailing to them.

Set up CVS

As root, go to /usr/local/rancid/bin/ and run ./create_cvs. This will make the CVS entries and create a directory called "testgroup" in /usr/local/rancid.

cd to "testgroup" and create a file called "router.db". In this file, put the fully qualified domain name or IP address, the router type, and the status. See the README for supported types and states. My entry looks like this:

	192.168.0.250:cisco:up

Save the file and cd back to /usr/local/rancid.

Change the owners

Since I've set up RANCID to run under the mrtg user, I need to change owners on the file in /usr/local/rancid so that the program can read and write as needed. Make sure that you are in /usr/local/rancid and run "chown -R mrtg:mrtg *".

Test it!

You should be all set. Switch to the "mrtg" user and run the "do-diffs" command. You shouldn't get any errors. If you do, check your ownerships and permissions. If you wind up with a dead.letter file, make sure that your email aliases match your group names in /usr/local/rancid/bin/env. When you get the first config, then go back and make some trivial change to the router config (this is not a production box is it? :-). Change the SNMP contact or something like that. Log out, and run "do-diffs" again. In a few seconds, you should get an email showing the changes.

Living with it

Once you have everything working and you've downloaded the config, and seen a change notice email, configure RANCID to run automatically and keep the log files clean. Switch to the "mrtg" user and run "crontab -e". My config looks like this:

	# run config differ hourly
	1 * * * * /usr/local/rancid/bin/do-diffs
	
	# clean out config differ logs
	50 23 * * * /usr/bin/find /usr/local/rancid/logs -type f -mtime +2 -exec rm {};

If your router config gets changed, you will get an email of the diffs. If the router reboots, you will also get a diffs email since some of the status information has changed. If the router becomes unreachable, you'll also be notified of that after four hours (but you already knew that from your NMS, right?).

That should do it for now.