Re: [rancid] FXOS debugging
Fri, Nov 30, 2018 at 03:47:23PM +, Ryan West: > John, > > Still hitting the same issue and replicated it on a fresh Ubuntu 18.04 LTS > with 8.6 expect/tcl loaded on it. > > > invalid command name "^-" > while executing > "^-" > invoked from within > "expect { > -re "\b+" { exp_continue } > -re "^\[^\n\r *]*$reprompt" { send_user -- > "$expect_out(buffer)" > } > -re "^\[^\n\r]*$reprom..." > (procedure "run_commands" line 36) > invoked from within > "run_commands $prompt $command" > ("foreach" body line 206) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > # attempt at platform switching. > set platform "" > send_user ..." > (file "/home/rwest/bin/fxlogin" line 870) I do not see the cause in the code or the debug output. And, I do not have a device to test against. running fxlogin against an IOS device works fine. maybe start with making sure that you are using the most recent alpha version of fxlogin. diffs since rancid 3.7 are attached. > Thanks, > > -ryan > > -Original Message- > From: heasley > Sent: Wednesday, November 28, 2018 5:54 PM > To: Ryan West > Cc: heasley ; Rancid-discuss@shrubbery.net > Subject: Re: [rancid] FXOS debugging > > Wed, Nov 28, 2018 at 04:09:40PM +, Ryan West: > > Same error - > > > > Here is the list of installed TCL packages: > > > > libtcl8.5:amd64 > > libtcl8.6:amd64 > > tcl > > tcl-expect:amd64 > > tcl8.5 > > tcl8.6 > > > > On a 9.6 Debian version. It's just this script that this throwing errors > > as well. > > Why (how) do you have tcl 8.5 and 8.6? Please make sure that expect is > linked with 8.6. Index: bin/fxlogin.in === --- bin/fxlogin.in (revision 3835) +++ bin/fxlogin.in (working copy) @@ -76,11 +76,12 @@ } # handle escaped ;s in commands, and ;; and ^; - regsub -all {([^\\]);;} $command "\\1;\u002;" esccommand - regsub {^;} $esccommand "\u002;" command - set sep "\\1\u001" - regsub -all {([^\\])\;} $command "$sep" esccommand - set sep "\u001" + regsub -all {([^\\]);} $command "\\1\u0002;" esccommand + regsub -all {([^\\]);;} $esccommand "\\1;\u0002;" command + regsub {^;} $command "\u0002;" esccommand + regsub -all {[\\];} $esccommand ";" command + regsub -all {\u0002;} $command "\u0002" esccommand + set sep "\u0002" set commands [split $esccommand $sep] set num_commands [llength $commands] set rshfail 0 @@ -356,7 +357,7 @@ # Run commands given on the command line. proc run_commands { prompt command } { -global do_saveconfig in_proc platform +global do_interact do_saveconfig in_proc platform set in_proc 1 # leave the prompt alone for fxos @@ -374,11 +375,12 @@ log_user 0 # handle escaped ;s in commands, and ;; and ^; -regsub -all {([^\\]);;} $command "\\1;\u002;" esccommand -regsub {^;} $esccommand "\u002;" command -set sep "\\1\u001" -regsub -all {([^\\])\;} $command "$sep" esccommand -set sep "\u001" +regsub -all {([^\\]);} $command "\\1\u0002;" esccommand +regsub -all {([^\\]);;} $esccommand "\\1;\u0002;" command +regsub {^;} $command "\u0002;" esccommand +regsub -all {[\\];} $esccommand ";" command +regsub -all {\u0002;} $command "\u0002" esccommand +set sep "\u0002" set commands [split $esccommand $sep] set num_commands [llength $commands] # the pager can not be turned off on the PIX, so we have to look @@ -385,11 +387,7 @@ # for the "More" prompt. the extreme is equally obnoxious in pre-12.3 XOS, # with a global switch in the config. for {set i 0} {$i < $num_commands} { incr i} { - if { [lindex $commands $i] == "\u002" } { - send -- "\r" - } else { - send -- "[subst -nocommands [lindex $commands $i]]\r" - } + send -- "[subst -nocommands [lindex $commands $i]]\r" expect { -re "\b+"{ exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" @@ -397,7 +395,7 @@ -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } - -re "^[^-]*--More--\[^\r\n]*[\r\n]+" { # fxos FTP pager + -re "^\[^-]*--More--\[^\r\n]*\[\r\n]+" { # fxos FTP pager send " " exp_continue } @@ -428,6 +426,11 @@ } log_user 1 +if { $do_interact == 1 } { + interact + return 0 +} + if { [string compare "extreme" "$platform"] } { send -h "exit\r" } else { ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] how cisco nx-os switch work with rancid with read-only account
What if you delete these commands: role name rancid rule 1 permit read rule 2 permit command show * and re-define your username command as: username ro password XXX role network-operator if you're on the CLI, "show role" will show you the pre-defined roles. See here for documentation. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/503_u2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2_chapter_0101.html#con_1230629 Using default / pre-defined roles, you don’t need to craft a role specifically for rancid. Unless you're concerned about a rogue user logging in with stolen credentials and having access to "show" commands you don't want to allow. Weylin -Original Message- From: yuan song Date: Friday, November 30, 2018 at 3:40 AM To: Subject: [rancid] how cisco nx-os switch work with rancid with read-only account i have a read access account "RO" in nexus 3048, and i add it to .cloginrc file like that: add method 10.36.0.71 {ssh} add cyphertype * aes128-ctr,aes128-cbc,3des-cbc add user 10.36.0.71 ro add password 10.36.0.71 XXX add noenable 10.36.0.71 1 however, rancid log give me: 10.36.0.71: End of run not found Error: TIMEOUT reached But, if i give my account full read permission, It works just fine. Hope someone could help me here, thx a lot PS:nexus config role name rancid rule 1 permit read rule 2 permit command show * username ro password XXX role rancid ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] F5 'bigip' SNMP password hash changes every run
Fri, Nov 30, 2018 at 04:05:52PM +, Gauthier, Chris: > Hello, > > We are using rancid 3.7 here and it successfully is backing up our F5’s. > However, since I added SNMPv3 onto a new pair of F5’s, the password hash > changes every time rancid runs. I don’t mind this, since the purpose is to > maintain a backup that I can straight-out deploy to the device, except that I > don’t want the email telling me that password changed every time (which is > hourly for us). > > Is there a way to filter out this from the email but not from what is > actually committed into the repo? well, some options: - alter rancid/share/rtrfilter to instead filter by line regex; also see rancid.conf(5):DIFFSCRIPT - have two collections; one which filters passwords/etc, another which does not, but which also has no diff-mail recipients. also see rancid.conf(5):FILES section ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] how cisco nx-os switch work with rancid with read-only account
Fri, Nov 30, 2018 at 04:40:31PM +0800, yuan song: > i have a read access account "RO" in nexus 3048, and i add it to > .cloginrc file like that: > add method 10.36.0.71 {ssh} > add cyphertype * aes128-ctr,aes128-cbc,3des-cbc > add user 10.36.0.71 ro > add password 10.36.0.71 XXX > add noenable 10.36.0.71 1 > > however, rancid log give me: > 10.36.0.71: End of run not found > Error: TIMEOUT reached > > But, if i give my account full read permission, It works just fine. > Hope someone could help me here, thx a lot > > PS:nexus config > role name rancid > rule 1 permit read > rule 2 permit command show * > username ro password XXX role rancid rancid must be able to alter some terminal settings; I do not know if the role above allows this. It must also be able to run dir. see the full command list in rancid.types.base. also see the rancid FAQ; Section 3, Question 2. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
[rancid] F5 'bigip' SNMP password hash changes every run
Hello, We are using rancid 3.7 here and it successfully is backing up our F5’s. However, since I added SNMPv3 onto a new pair of F5’s, the password hash changes every time rancid runs. I don’t mind this, since the purpose is to maintain a backup that I can straight-out deploy to the device, except that I don’t want the email telling me that password changed every time (which is hourly for us). Is there a way to filter out this from the email but not from what is actually committed into the repo? Thanks, Chris PS, forgive the signature and HTML-emails. I cannot control any of that. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com 317 SW Alder Street, Suite 700 | Portland, OR 97204 United States comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] FXOS debugging
John, Still hitting the same issue and replicated it on a fresh Ubuntu 18.04 LTS with 8.6 expect/tcl loaded on it. > invalid command name "^-" while executing "^-" invoked from within "expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprom..." (procedure "run_commands" line 36) invoked from within "run_commands $prompt $command" ("foreach" body line 206) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] # attempt at platform switching. set platform "" send_user ..." (file "/home/rwest/bin/fxlogin" line 870) Thanks, -ryan -Original Message- From: heasley Sent: Wednesday, November 28, 2018 5:54 PM To: Ryan West Cc: heasley ; Rancid-discuss@shrubbery.net Subject: Re: [rancid] FXOS debugging Wed, Nov 28, 2018 at 04:09:40PM +, Ryan West: > Same error - > > Here is the list of installed TCL packages: > > libtcl8.5:amd64 > libtcl8.6:amd64 > tcl > tcl-expect:amd64 > tcl8.5 > tcl8.6 > > On a 9.6 Debian version. It's just this script that this throwing errors as > well. Why (how) do you have tcl 8.5 and 8.6? Please make sure that expect is linked with 8.6. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
[rancid] how cisco nx-os switch work with rancid with read-only account
i have a read access account "RO" in nexus 3048, and i add it to .cloginrc file like that: add method 10.36.0.71 {ssh} add cyphertype * aes128-ctr,aes128-cbc,3des-cbc add user 10.36.0.71 ro add password 10.36.0.71 XXX add noenable 10.36.0.71 1 however, rancid log give me: 10.36.0.71: End of run not found Error: TIMEOUT reached But, if i give my account full read permission, It works just fine. Hope someone could help me here, thx a lot PS:nexus config role name rancid rule 1 permit read rule 2 permit command show * username ro password XXX role rancid ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss