RANCID

RANCID is a tool that can monitor configuration changes on network devices, and mail the diffs periodically. It's installed on netmon1003 from the (rather alpha-quality) Debian/Ubuntu packages.

Rancid configuration is in /etc/rancid/ and /var/lib/rancid/.

You can clone the rancid repo with:

git clone ssh://netmon1003.wikimedia.org:/var/lib/rancid/core/ rancid-configs

Manually testing Rancid has access to devices:

sudo -u rancid SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh rancid@<hostname>

Manually running Rancid data collection (without the git part, nor the secrets redaction

cd /var/lib/rancid
sudo -u rancid SSH_AUTH_SOCK=/run/keyholder/proxy.sock /usr/bin/perl /usr/lib/rancid/bin/rancid -d -t <platform> <fqdn>

Platform is the keyword from router.db

You can then also manually run the commands that starts with executing [...] to see the data being collected from the device.

The following configuration works on JUNOS:

system {
    login {
        class rancid {
            permissions [ view view-configuration ];
        }
        user rancid {
            uid 2002;
            class rancid;
            authentication {
                ssh-rsa "ssh-rsa rancid public-key"; ## SECRET-DATA
            }
        }
    }
}

See Platform-specific documentation/Opengear Serial Consoles#Initial Setup

And https://opengear.zendesk.com/hc/en-us/articles/216369543-RANCID-Support

See https://gerrit.wikimedia.org/r/c/operations/puppet/+/1176216

For rancid to works we currently need to ssh to the switch as the rancid user (see above) then run those two commands :

environment cli-engine type basic
environment save home

This is a limitation that comes from the comment over there : https://gerrit.wikimedia.org/r/c/operations/puppet/+/1176216/3/modules/rancid/files/bin/srllogin#867