Rancid linux CentOS 7 installation for Juniper/Cisco/Arista devices

Installation

yum install nano wget ftp telnet perl tcl expect gcc cvs rcs httpd autoconf openssh-clients postfix -y

groupadd netadm
useradd -g netadm -c “Networking Backups” -d /usr/local/rancid rancid
mkdir /usr/local/rancid/pkg
cd /usr/local/rancid/pkg
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.4.1.tar.gz
tar zxvf rancid-3.4.1.tar.gz
cd rancid-3.4.1
./configure –prefix=/usr/local/rancid/
make install

Configuration

cp /usr/local/rancid/pkg/rancid-3.4.1/cloginrc.sample /usr/local/rancid/.cloginrc
chmod 0600 /usr/local/rancid/.cloginrc
chown -R rancid:netadm /usr/local/rancid/
chmod 775 /usr/local/rancid/
cp /usr/local/rancid/pkg/rancid-3.4.1/README /usr/local/rancid

SSH key/keys generation

su – rancid
ssh-keygen -t ecdsa (for Juniper)
ssh-keygen -t rsa -b 4096 (for Cisco/Arista devices)
ssh-keygen -f .ssh/id_rsa.pub -l (Show fingerprint of specified public key file)

clogin configuration

vi /usr/local/rancid/.cloginrc
#add method * ssh
#add user * rancid
#add password * RancidPW EnablePW
add password * blah

#Juniper
add user juniper-device-01 rancid
add method juniper-device-01 {ssh}
add identity juniper-device-01 $env(HOME)/.ssh/id_ecdsa

#Cisco/Arista
add user ciscoarista-device-02 rancid
add method ciscoarista-device-02 {ssh}
add identity ciscoarista-device-02 $env(HOME)/.ssh/id_rsa
add autoenable ciscoarista-device-02 1

Rancid configuration

vi /usr/local/rancid/etc/rancid.conf
LIST_OF_GROUPS=”LOC1 LOC2″
FILTER_PWDS=NO; export FILTER_PWDS
NOCOMMSTR=NO; export NOCOMMSTR

Once happy with your groups, you need to run rancid-cvs to create the directories/files required as the rancid user
su – rancid
/usr/local/rancid/bin/rancid-cvs

router.db config
cat “juniper-device-01;juniper;up” >> /usr/local/rancid/var/LOC1/router.db
cat “ciscoarista-device-02;arista;up” >> /usr/local/rancid/var/LOC1/router.db or cat “ciscoarista-device-02;cisco;up” >> /usr/local/rancid/var/LOC1/router.db

vi /etc/aliases:
rancid-LOC1: mail1@mail.com
rancid-admin-LOC1: mail1@mail.com
rancid-LOC2: mail1@mail.com
rancid-admin-LOC2: mail1@mail.com

newaliases

SMTP postfix relay configuration

vi /etc/postfix/main.cf
inet_interfaces = 192.168.0.100
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = 192.168.0.111
smtp_fallback_relay = 192.168.0.112
mydomain = subdomain.domain.com
myorigin = monhost.subdomain.domain.com
mydestinations = monhost.subdomain.domain.com
local_transport = error:local mail delivery is disabled

systemctl restart postfix
systemctl status postfix

Juniper device configuration
set system login class RANCID permissions access
set system login class RANCID permissions admin
set system login class RANCID permissions firewall
set system login class RANCID permissions flow-tap
set system login class RANCID permissions interface
set system login class RANCID permissions network
set system login class RANCID permissions routing
set system login class RANCID permissions secret
set system login class RANCID permissions security
set system login class RANCID permissions snmp
set system login class RANCID permissions storage
set system login class RANCID permissions system
set system login class RANCID permissions trace
set system login class RANCID permissions view
set system login class RANCID permissions view-configuration
set system login user rancid full-name RANCID
set system login user rancid uid 2020
set system login user rancid class RANCID
set system login user rancid authentication ssh-ecdsa "ecdsa-sha2-nistp256 loooooooooooooooong-hash LOC1MGMTRANCID"

Cisco device configuration
#You could find ssh rsa key fingerprint by ssh-keygen -f .ssh/id_rsa.pub -l command
username rancid privilege 15
ip ssh pubkey-chain
username rancid
key-hash ssh-rsa ssh-rsa-fingerprint-without-colons

Arista device configuration
aaa authorization exec default local none
username rancid privilege 15 secret secret-password
username rancid sshkey ssh-rsa ssh-rsa-key-public-part-from-id_rsa.pub rancid@monhost

Check if ssh password less configuration works fine
#juniper
/usr/local/rancid/bin/jlogin -c “show version” juniper-device-01
#arista/cisco
/usr/local/rancid/bin/jlogin -c “show configuration” ciscoarista-device-02

Rancid manual start
/usr/local/rancid/bin/rancid-run

CRON setup
crontab -u rancid -e

1 * * * * /usr/local/rancid/bin/rancid-run

# Daily Clean Up of Diff Files at 11 50 pm
50 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +2 -exec rm {} \;

# Daily Clean Up of .SITE.run.lock Files at 11 50 pm
50 23 * * * rm /tmp/.*.lock

ViewVC installation

I suggest if RANCID has been provisioned as a VM, snapshot at this point in case you make a any mistakes configuring View VC.

cd /usr/local/rancid/pkg
wget http://viewvc.tigris.org/files/documents/3330/49392/viewvc-1.1.23.tar.gz
tar -zxvf viewvc-1.1.23.tar.gz
cd viewvc-1.1.23
./viewvc-install ## we set the installation path as /usr/local/viewvc

Consult the INSTALL document for detailed information on completing the installation and configuration of ViewVC on your system. Here’s a brief overview of the remaining steps:

1) Edit the /usr/local/viewvc/viewvc.conf file.

2)Copy /usr/local/viewvc/bin/cgi/viewvc.cgi to an already-configured cgi-bin directory.

vi /usr/local/viewvc/viewvc.conf

root_parents = /usr/local/rancid/var/CVS : cvs
rcs_dir = /usr/bin/
#use_enscript = 1
#enscript_path = /usr/bin/
#use_highlight = 1
#highlight_path = /usr/bin

cp /usr/local/viewvc/bin/cgi/*.cgi /var/www/cgi-bin/

chown apache:apache /var/www/cgi-bin/query.cgi
chown apache:apache /var/www/cgi-bin/viewvc.cgi

vi /etc/httpd/conf/httpd.conf
ScriptAlias /rancid "/var/www/cgi-bin/viewvc.cgi"
ScriptAlias /query "/var/www/cgi-bin/query.cgi"

<Location /viewvc>
AuthType basic
AuthName "Client Access"
AuthUserFile /usr/local/viewvc/passwd
Require valid-user
</Location>

htpasswd -c /usr/local/viewvc/passwd admin

systemctl restart httpd

Links:
https://www.cryptomonkeys.com/2013/09/rancid-junos/
https://www.ip-life.net/rancid-setup-on-ubuntu-10-04-lts/

Leave a comment

You must be logged in to post a comment.