Nov 12 2010

Ham-fisted vyatta configuration backups with Rancid.

Router mark

Rancid “Really Awesome New ConfIg Differ” is a very cool little suite of scripts that monitor the configurations on routers or other devices and keeps them in a version control system. If you admin more than a few such devices I highly recommend it. Not only is it a lifesaver to have the configs backed up and diffed automatically, but it can be fun to abuse some of the internals like the “clogin” script to push out changes or the like.

Rancid is full of very good expect scripts that know how to get all kinds of info from Cisco routers and a slew of other devices.

But I wanted to use it the same way with my vyatta routers too. I had great hopes of writing excellent expect scripts to do it, there was just one problem. I don’t know how to do that 😐

Fortunately in addition to the preconfigured device types, someone figured out that rancid can also be set up with a “wrapper” device where you can just throw in any ugly script and it will point it at your device and throw whatever comes back into CVS just like it was one of the carefully parsed and sanitized configs.

The proof-of-concept code for that was a perl script called vpn3k written by Michael Stefaniuc at Red Hat, that could scp configs for Altera’s VPN 3000 concentrators. So I hacked it up a little bit to grab a couple snmp strings and then scp over the written config. That’s pretty sub-optimal since you only get the saved config, not the running config. Also Mr. Stefaniuc warns that the script may eat babies. But it works, and I don’t have to set up seperate cronjobs or CVS and the like. It all gets taken care of by rancid just like the non-free routers.


Is the actual wrapper code that sits in $RANCID_HOME/bin in lieu of a good expect script and calls the perl script:


Which you copy to $RANCID_HOME/share/wrapper/vyatta (note the name change) where it will make a new device type of wrapper.vyatta available for you to use in your router.db file:

You do have to set up scp to work unattended also. I recommend you do it with authorized_keys, though the other rancid scripts can store plain text passwords (for telnet!) in the .cloginrc file, so you can be just as insecure as you’d like.