[rancid] rancid-run doesn't work from cron for panorama but works manually
Lucian-Ionut Lepadatu
lepadatu.lucian at gmail.com
Wed Jul 26 13:47:23 UTC 2023
Hello,
I am trying to make rancid pull the configs from a pair of Palo Alto
Panorama devices.
I've installed it on an Alma Linux 9 box with the default package from epel
(rancid.x86_64 3.13-7.el9).
I have in router.db a list of Palo Alto firewalls and a pair of Panorama
devices. Login to all devices works.
If I login with the rancid user and run rancid-run from the shell
([rancid at rancidbox ~]$ /usr/libexec/rancid/rancid-run) it gets the config
for all devices.
If I login as root and run rancid run as the rancid user ("[rancid at rancidbox
~]# sudo -u rancid /usr/libexec/rancid/rancid-run") it also works for all
devices.
But if I try to run it from cron as the user rancid, it works for the
firewalls but not for panorama.
The cron entry looks like this:
*SHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=rootHOME=/var/rancid0
*/8 * * * rancid /usr/libexec/rancid/rancid-run*
In the rancid logs I see:
*missed cmd(s): all commandsEnd of run not foundpanlogin error: Error:
TIMEOUT reached*
I've managed to capture the .raw and .new files for a panorama device when
rancid-run was executed from cron and looks like it connects to the device
but it gets stuck:
*[rancid at rancidbox ~]$ cat
network-devices/configs/panorama_hostname.internal.domain.rawpanorama_hostname.internal.domainspawn
ssh -x -l rancid_login_user
panorama_hostname.internal.domain*************************************************************************
*
* *
WARNING! Access to this device is restricted * *
to those individuals with specific * *
permissions. If you are not an authorized user * *
disconnect now. * *
* *
Any attempts to gain unauthorized access * *
will be prosecuted to the fullest * *
extent of the law. * *
* *************************************************************************(rancid_login_user at panorama_hostname.internal.domain)
Password: Last login: Wed Jul 26 11:51:59 2023 from IP.XXX.YYY.ZZZNo entry
for terminal type "network";using dumb terminal settings.Number of failed
attempts since last successful login:
0rancid_login_user at panorama_hostname.internal.domain(primary-active)>
rancid_login_user at panorama_hostname.internal.domain(primary-active)> set
rancid_login_user at panorama_hostname.internal.domain(primary-active)> set
cli rancid_login_user at panorama_hostname.internal.domain(primary-active)>
set cli scripting-mode
rancid_login_user at panorama_hostname.internal.domain(primary-active)> set
cli scripting-mode
onrancid_login_user at panorama_hostname.internal.domain(primary-active)>
[rancid at rancidbox ~]$ [rancid at rancidbox ~]$ cat
network-devices/configs/panorama_hostname.internal.domain.new#RANCID-CONTENT-TYPE:
paloalto#*
If I try to run run rancid instead of rancid-run from cron for panorama it
works (needs a PATH added to be able to find the panlogin script but other
than that it succeeds)
*PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/libexec/rancid/:/usr/share/perl5/vendor_perl/rancid*
*08 10 * * * rancid /usr/libexec/rancid/rancid -t paloalto
-d panorama_hostname.internal.domain*
I've also got a dump of all environment variables for the rancid user and
put it in cron but same as before: rancid-run always fails for panorama but
works for the firewalls. (it has the same content in the .raw file every
time)
I was thinking that since invoking rancid from cron works but rancid-run
fails, it might have something to do with how control_rancid or rancid-fe
invokes rancid but couldn't see anything obvious in those scripts
that might cause this behaviour.
I am not sure what exactly fails. I appreciate any pointers you might have.
Thanks,
Lucian Lepadatu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20230726/9bf87de4/attachment.htm>
More information about the Rancid-discuss
mailing list