[rancid] rancid-run doesn't work from cron for panorama but works manually
Piegorsch, Weylin William
weylin at bu.edu
Thu Jul 27 04:01:57 UTC 2023
From the CRON file you shared, it looks like you’re executing this in the crontab in /etc? I find it more reliable to execute system management tasks there (logrotate; updatedb; and so forth), but for rancid’s environment to be setup correctly when using rancid’s personal CRON file.
“sudo su - rancid ; crontab -e”
Just remember that in a user’s crontab you don’t need to specify the user.
[signature_1593189312]
Weylin Piegorsch | Manager, Network Engineering
Boston University Information Services & Technology
weylin at bu.edu<mailto:weylin at bu.edu> | 617.353.8128 | bu.edu/tech<http://www.bu.edu/tech>
Listen. Learn. Lead.
From: Lucian-Ionut Lepadatu <lepadatu.lucian at gmail.com>
Sent: Wednesday, July 26, 2023 9:47 AM
To: rancid-discuss at www.shrubbery.net
Subject: [rancid] rancid-run doesn't work from cron for panorama but works manually
Hello,
I am trying to make rancid pull the configs from a pair of Palo Alto Panorama devices.
I've installed it on an Alma Linux 9 box with the default package from epel (rancid.x86_64 3.13-7.el9).
I have in router.db a list of Palo Alto firewalls and a pair of Panorama devices. Login to all devices works.
If I login with the rancid user and run rancid-run from the shell ([rancid at rancidbox ~]$ /usr/libexec/rancid/rancid-run) it gets the config for all devices.
If I login as root and run rancid run as the rancid user ("[rancid at rancidbox ~]# sudo -u rancid /usr/libexec/rancid/rancid-run") it also works for all devices.
But if I try to run it from cron as the user rancid, it works for the firewalls but not for panorama.
The cron entry looks like this:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/var/rancid
0 */8 * * * rancid /usr/libexec/rancid/rancid-run
In the rancid logs I see:
missed cmd(s): all commands
End of run not found
panlogin error: Error: TIMEOUT reached
I've managed to capture the .raw and .new files for a panorama device when rancid-run was executed from cron and looks like it connects to the device but it gets stuck:
[rancid at rancidbox ~]$ cat network-devices/configs/panorama_hostname.internal.domain.raw
panorama_hostname.internal.domain
spawn ssh -x -l rancid_login_user panorama_hostname.internal.domain
*************************************************************************
* *
* WARNING! Access to this device is restricted *
* to those individuals with specific *
* permissions. If you are not an authorized user *
* disconnect now. *
* *
* Any attempts to gain unauthorized access *
* will be prosecuted to the fullest *
* extent of the law. *
* *
*************************************************************************
(rancid_login_user at panorama_hostname.internal.domain<mailto:rancid_login_user at panorama_hostname.internal.domain>) Password:
Last login: Wed Jul 26 11:51:59 2023 from IP.XXX.YYY.ZZZ
No entry for terminal type "network";
using dumb terminal settings.
Number of failed attempts since last successful login: 0
rancid_login_user at panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user at panorama_hostname.internal.domain(primary-active)>>
rancid_login_user at panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set
rancid_login_user at panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set cli
rancid_login_user at panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set cli scripting
-mode
rancid_login_user at panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set cli scripting
-mode on
rancid_login_user at panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user at panorama_hostname.internal.domain(primary-active)>> [rancid at rancidbox ~]$
[rancid at rancidbox ~]$ cat network-devices/configs/panorama_hostname.internal.domain.new
#RANCID-CONTENT-TYPE: paloalto
#
If I try to run run rancid instead of rancid-run from cron for panorama it works (needs a PATH added to be able to find the panlogin script but other than that it succeeds)
PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/libexec/rancid/:/usr/share/perl5/vendor_perl/rancid
08 10 * * * rancid /usr/libexec/rancid/rancid -t paloalto -d panorama_hostname.internal.domain
I've also got a dump of all environment variables for the rancid user and put it in cron but same as before: rancid-run always fails for panorama but works for the firewalls. (it has the same content in the .raw file every time)
I was thinking that since invoking rancid from cron works but rancid-run fails, it might have something to do with how control_rancid or rancid-fe invokes rancid but couldn't see anything obvious in those scripts that might cause this behaviour.
I am not sure what exactly fails. I appreciate any pointers you might have.
Thanks,
Lucian Lepadatu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20230727/ad314770/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1595 bytes
Desc: image001.jpg
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20230727/ad314770/attachment.jpg>
More information about the Rancid-discuss
mailing list