Re: [rancid] FXOS debugging

2018-11-30 Thread heasley 
Fri, Nov 30, 2018 at 03:47:23PM +, Ryan West:
> John,
> 
> Still hitting the same issue and replicated it on a fresh Ubuntu 18.04 LTS 
> with 8.6 expect/tcl loaded on it.
> 
> > invalid command name "^-"
> while executing
> "^-"
> invoked from within
> "expect {
> -re "\b+"   { exp_continue }
> -re "^\[^\n\r *]*$reprompt" { send_user -- 
> "$expect_out(buffer)"
> }
> -re "^\[^\n\r]*$reprom..."
> (procedure "run_commands" line 36)
> invoked from within
> "run_commands $prompt $command"
> ("foreach" body line 206)
> invoked from within
> "foreach router [lrange $argv $i end] {
> set router [string tolower $router]
> # attempt at platform switching.
> set platform ""
> send_user ..."
> (file "/home/rwest/bin/fxlogin" line 870)

I do not see the cause in the code or the debug output.  And, I do not
have a device to test against.  running fxlogin against an IOS device
works fine.

maybe start with making sure that you are using the most recent alpha
version of fxlogin.  diffs since rancid 3.7 are attached.

> Thanks,
> 
> -ryan
> 
> -Original Message-
> From: heasley  
> Sent: Wednesday, November 28, 2018 5:54 PM
> To: Ryan West 
> Cc: heasley ; Rancid-discuss@shrubbery.net
> Subject: Re: [rancid] FXOS debugging
> 
> Wed, Nov 28, 2018 at 04:09:40PM +, Ryan West:
> > Same error -
> > 
> > Here is the list of installed TCL packages:
> > 
> > libtcl8.5:amd64
> > libtcl8.6:amd64 
> > tcl 
> > tcl-expect:amd64
> > tcl8.5  
> > tcl8.6  
> > 
> > On a 9.6 Debian version.  It's just this script that this throwing errors 
> > as well.
> 
> Why (how) do you have tcl 8.5 and 8.6?  Please make sure that expect is 
> linked with 8.6.
Index: bin/fxlogin.in
===
--- bin/fxlogin.in	(revision 3835)
+++ bin/fxlogin.in	(working copy)
@@ -76,11 +76,12 @@
 	}
 
 	# handle escaped ;s in commands, and ;; and ^;
-	regsub -all {([^\\]);;} $command "\\1;\u002;" esccommand
-	regsub {^;} $esccommand "\u002;" command
-	set sep "\\1\u001"
-	regsub -all {([^\\])\;} $command "$sep" esccommand
-	set sep "\u001"
+	regsub -all {([^\\]);} $command "\\1\u0002;" esccommand
+	regsub -all {([^\\]);;} $esccommand "\\1;\u0002;" command
+	regsub {^;} $command "\u0002;" esccommand
+	regsub -all {[\\];} $esccommand ";" command
+	regsub -all {\u0002;} $command "\u0002" esccommand
+	set sep "\u0002"
 	set commands [split $esccommand $sep]
 	set num_commands [llength $commands]
 	set rshfail 0
@@ -356,7 +357,7 @@
 
 # Run commands given on the command line.
 proc run_commands { prompt command } {
-global do_saveconfig in_proc platform
+global do_interact do_saveconfig in_proc platform
 set in_proc 1
 
 # leave the prompt alone for fxos
@@ -374,11 +375,12 @@
 log_user 0
 
 # handle escaped ;s in commands, and ;; and ^;
-regsub -all {([^\\]);;} $command "\\1;\u002;" esccommand
-regsub {^;} $esccommand "\u002;" command
-set sep "\\1\u001"
-regsub -all {([^\\])\;} $command "$sep" esccommand
-set sep "\u001"
+regsub -all {([^\\]);} $command "\\1\u0002;" esccommand
+regsub -all {([^\\]);;} $esccommand "\\1;\u0002;" command
+regsub {^;} $command "\u0002;" esccommand
+regsub -all {[\\];} $esccommand ";" command
+regsub -all {\u0002;} $command "\u0002" esccommand
+set sep "\u0002"
 set commands [split $esccommand $sep]
 set num_commands [llength $commands]
 # the pager can not be turned off on the PIX, so we have to look
@@ -385,11 +387,7 @@
 # for the "More" prompt.  the extreme is equally obnoxious in pre-12.3 XOS,
 # with a global switch in the config.
 for {set i 0} {$i < $num_commands} { incr i} {
-	if { [lindex $commands $i] == "\u002" } {
-	send -- "\r"
-	} else {
-	send -- "[subst -nocommands [lindex $commands $i]]\r"
-	}
+	send -- "[subst -nocommands [lindex $commands $i]]\r"
 	expect {
 	-re "\b+"{ exp_continue }
 	-re "^\[^\n\r *]*$reprompt"		{ send_user -- "$expect_out(buffer)"
@@ -397,7 +395,7 @@
 	-re "^\[^\n\r]*$reprompt."		{ send_user -- "$expect_out(buffer)"
 		  exp_continue
 		}
-	-re "^[^-]*--More--\[^\r\n]*[\r\n]+"	{ # fxos FTP pager
+	-re "^\[^-]*--More--\[^\r\n]*\[\r\n]+"	{ # fxos FTP pager
 		  send " "
 		  exp_continue
 		}
@@ -428,6 +426,11 @@
 }
 log_user 1
 
+if { $do_interact == 1 } {
+	interact
+	return 0
+}
+
 if { [string compare "extreme" "$platform"] } {
 	send -h "exit\r"
 } else {
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] how cisco nx-os switch work with rancid with read-only account

2018-11-30 Thread Piegorsch, Weylin William 
What if you delete these commands:

role name rancid
rule 1 permit read
rule 2 permit command show *


and re-define your username command as:

username ro password XXX role network-operator


if you're on the CLI, "show role" will show you the pre-defined roles.  See 
here for documentation.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/503_u2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2_chapter_0101.html#con_1230629

Using default / pre-defined roles, you don’t need to craft a role specifically 
for rancid.  Unless you're concerned about a rogue user logging in with stolen 
credentials and having access to "show" commands you don't want to allow.

Weylin




-Original Message-
From: yuan song 
Date: Friday, November 30, 2018 at 3:40 AM
To: 
Subject: [rancid] how cisco nx-os switch work with rancid with read-only account

i have a read access account "RO" in nexus 3048, and i add it to
.cloginrc file like that:
add method 10.36.0.71 {ssh}
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add user 10.36.0.71 ro
add password 10.36.0.71 XXX
add noenable 10.36.0.71 1

however, rancid log give me:
10.36.0.71: End of run not found
Error: TIMEOUT reached

But, if i give my account full read permission, It works just fine.
Hope someone could help me here, thx a lot

PS:nexus config
role name rancid
rule 1 permit read
rule 2 permit command show *
username ro password XXX role rancid




___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] F5 'bigip' SNMP password hash changes every run

2018-11-30 Thread heasley 
Fri, Nov 30, 2018 at 04:05:52PM +, Gauthier, Chris:
> Hello,
> 
> We are using rancid 3.7 here and it successfully is backing up our F5’s.  
> However, since I added SNMPv3 onto a new pair of F5’s, the password hash 
> changes every time rancid runs.  I don’t mind this, since the purpose is to 
> maintain a backup that I can straight-out deploy to the device, except that I 
> don’t want the email telling me that password changed every time (which is 
> hourly for us).
> 
> Is there a way to filter out this from the email but not from what is 
> actually committed into the repo?

well, some options:
- alter rancid/share/rtrfilter to instead filter by line regex;
  also see rancid.conf(5):DIFFSCRIPT
- have two collections; one which filters passwords/etc, another which
  does not, but which also has no diff-mail recipients.  also see
  rancid.conf(5):FILES section

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] how cisco nx-os switch work with rancid with read-only account

2018-11-30 Thread heasley 
Fri, Nov 30, 2018 at 04:40:31PM +0800, yuan song:
> i have a read access account "RO" in nexus 3048, and i add it to
> .cloginrc file like that:
> add method 10.36.0.71 {ssh}
> add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
> add user 10.36.0.71 ro
> add password 10.36.0.71 XXX
> add noenable 10.36.0.71 1
> 
> however, rancid log give me:
> 10.36.0.71: End of run not found
> Error: TIMEOUT reached
> 
> But, if i give my account full read permission, It works just fine.
> Hope someone could help me here, thx a lot
> 
> PS:nexus config
> role name rancid
> rule 1 permit read
> rule 2 permit command show *
> username ro password XXX role rancid

rancid must be able to alter some terminal settings; I do not know if the
role above allows this.  It must also be able to run dir.  see the full
command list in rancid.types.base.

also see the rancid FAQ; Section 3, Question 2.

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

[rancid] F5 'bigip' SNMP password hash changes every run

2018-11-30 Thread Gauthier, Chris 
Hello,

We are using rancid 3.7 here and it successfully is backing up our F5’s.  
However, since I added SNMPv3 onto a new pair of F5’s, the password hash 
changes every time rancid runs.  I don’t mind this, since the purpose is to 
maintain a backup that I can straight-out deploy to the device, except that I 
don’t want the email telling me that password changed every time (which is 
hourly for us).

Is there a way to filter out this from the email but not from what is actually 
committed into the repo?

Thanks,
Chris

PS, forgive the signature and HTML-emails.  I cannot control any of that.

Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
317 SW Alder Street, Suite 700 | Portland, OR 97204  United States
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] FXOS debugging

2018-11-30 Thread Ryan West 
John,

Still hitting the same issue and replicated it on a fresh Ubuntu 18.04 LTS with 
8.6 expect/tcl loaded on it.

> invalid command name "^-"
while executing
"^-"
invoked from within
"expect {
-re "\b+"   { exp_continue }
-re "^\[^\n\r *]*$reprompt" { send_user -- 
"$expect_out(buffer)"
}
-re "^\[^\n\r]*$reprom..."
(procedure "run_commands" line 36)
invoked from within
"run_commands $prompt $command"
("foreach" body line 206)
invoked from within
"foreach router [lrange $argv $i end] {
set router [string tolower $router]
# attempt at platform switching.
set platform ""
send_user ..."
(file "/home/rwest/bin/fxlogin" line 870)

Thanks,

-ryan

-Original Message-
From: heasley  
Sent: Wednesday, November 28, 2018 5:54 PM
To: Ryan West 
Cc: heasley ; Rancid-discuss@shrubbery.net
Subject: Re: [rancid] FXOS debugging

Wed, Nov 28, 2018 at 04:09:40PM +, Ryan West:
> Same error -
> 
> Here is the list of installed TCL packages:
> 
> libtcl8.5:amd64
> libtcl8.6:amd64 
> tcl 
> tcl-expect:amd64
> tcl8.5  
> tcl8.6  
> 
> On a 9.6 Debian version.  It's just this script that this throwing errors as 
> well.

Why (how) do you have tcl 8.5 and 8.6?  Please make sure that expect is linked 
with 8.6.

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

[rancid] how cisco nx-os switch work with rancid with read-only account

2018-11-30 Thread yuan song 
i have a read access account "RO" in nexus 3048, and i add it to
.cloginrc file like that:
add method 10.36.0.71 {ssh}
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add user 10.36.0.71 ro
add password 10.36.0.71 XXX
add noenable 10.36.0.71 1

however, rancid log give me:
10.36.0.71: End of run not found
Error: TIMEOUT reached

But, if i give my account full read permission, It works just fine.
Hope someone could help me here, thx a lot

PS:nexus config
role name rancid
rule 1 permit read
rule 2 permit command show *
username ro password XXX role rancid

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss