Mailing List Archive

From the CRON file you shared, it looks like you’re executing this in the crontab in /etc? I find it more reliable to execute system management tasks there (logrotate; updatedb; and so forth), but for rancid’s environment to be setup correctly when using rancid’s personal CRON file.
“sudo su - rancid ; crontab -e”

Just remember that in a user’s crontab you don’t need to specify the user.





[signature_1593189312]

Weylin Piegorsch | Manager, Network Engineering
Boston University Information Services & Technology
weylin@bu.edu<mailto:weylin@bu.edu> | 617.353.8128 | bu.edu/tech<http://www.bu.edu/tech>
Listen. Learn. Lead.




From: Lucian-Ionut Lepadatu <lepadatu.lucian@gmail.com>
Sent: Wednesday, July 26, 2023 9:47 AM
To: rancid-discuss@www.shrubbery.net
Subject: [rancid] rancid-run doesn't work from cron for panorama but works manually

Hello,

I am trying to make rancid pull the configs from a pair of Palo Alto Panorama devices.
I've installed it on an Alma Linux 9 box with the default package from epel (rancid.x86_64 3.13-7.el9).
I have in router.db a list of Palo Alto firewalls and a pair of Panorama devices. Login to all devices works.
If I login with the rancid user and run rancid-run from the shell ([rancid@rancidbox ~]$ /usr/libexec/rancid/rancid-run) it gets the config for all devices.
If I login as root and run rancid run as the rancid user ("[rancid@rancidbox ~]# sudo -u rancid /usr/libexec/rancid/rancid-run") it also works for all devices.
But if I try to run it from cron as the user rancid, it works for the firewalls but not for panorama.

The cron entry looks like this:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/var/rancid

0 */8 * * * rancid /usr/libexec/rancid/rancid-run
In the rancid logs I see:
missed cmd(s): all commands
End of run not found
panlogin error: Error: TIMEOUT reached

I've managed to capture the .raw and .new files for a panorama device when rancid-run was executed from cron and looks like it connects to the device but it gets stuck:

[rancid@rancidbox ~]$ cat network-devices/configs/panorama_hostname.internal.domain.raw
panorama_hostname.internal.domain
spawn ssh -x -l rancid_login_user panorama_hostname.internal.domain
*************************************************************************
* *
* WARNING! Access to this device is restricted *
* to those individuals with specific *
* permissions. If you are not an authorized user *
* disconnect now. *
* *
* Any attempts to gain unauthorized access *
* will be prosecuted to the fullest *
* extent of the law. *
* *
*************************************************************************
(rancid_login_user@panorama_hostname.internal.domain<mailto:rancid_login_user@panorama_hostname.internal.domain>) Password:
Last login: Wed Jul 26 11:51:59 2023 from IP.XXX.YYY.ZZZ
No entry for terminal type "network";
using dumb terminal settings.



Number of failed attempts since last successful login: 0



rancid_login_user@panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user@panorama_hostname.internal.domain(primary-active)>>
rancid_login_user@panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set
rancid_login_user@panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set cli
rancid_login_user@panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set cli scripting
-mode
rancid_login_user@panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set cli scripting
-mode on
rancid_login_user@panorama_hostname.internal.domain(primary-active)<mailto:rancid_login_user@panorama_hostname.internal.domain(primary-active)>> [rancid@rancidbox ~]$




[rancid@rancidbox ~]$ cat network-devices/configs/panorama_hostname.internal.domain.new
#RANCID-CONTENT-TYPE: paloalto
#

If I try to run run rancid instead of rancid-run from cron for panorama it works (needs a PATH added to be able to find the panlogin script but other than that it succeeds)

PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/libexec/rancid/:/usr/share/perl5/vendor_perl/rancid
08 10 * * * rancid /usr/libexec/rancid/rancid -t paloalto -d panorama_hostname.internal.domain

I've also got a dump of all environment variables for the rancid user and put it in cron but same as before: rancid-run always fails for panorama but works for the firewalls. (it has the same content in the .raw file every time)

I was thinking that since invoking rancid from cron works but rancid-run fails, it might have something to do with how control_rancid or rancid-fe invokes rancid but couldn't see anything obvious in those scripts that might cause this behaviour.

I am not sure what exactly fails. I appreciate any pointers you might have.

Thanks,
Lucian Lepadatu

Indeed, the cron file that I've shared previously was the default one from
the rpm /etc/cron.d/rancid.
I've already tried the rancid user specific crontab but that behaves
exactly the same.
Given the format of the output from the .raw file (*set cli scripting**-mode
on* for example is not on a single line), maybe rancid is having trouble
parsing the output; I've tried adjusting the TERM and COLUMNS env vars and
even changed the hostname to something very short but without success.
That's what's been puzzling me: on one hand it looks like an env issue but
on the other even when run from the rancid user's crontab it still does not
work and I cannot pinpoint what exactly fails.

Thanks,
Lucian Lepadatu

On Thu, Jul 27, 2023 at 6:02?AM Piegorsch, Weylin William <weylin@bu.edu>
wrote:

> From the CRON file you shared, it looks like you’re executing this in the
> crontab in /etc? I find it more reliable to execute system management
> tasks there (logrotate; updatedb; and so forth), but for rancid’s
> environment to be setup correctly when using rancid’s personal CRON file.
>
> “sudo su - rancid ; crontab -e”
>
>
>
> Just remember that in a user’s crontab you don’t need to specify the user.
>
>
>
>
>
>
>
>
>
>
>
> [image: signature_1593189312]
>
>
>
> *Weylin Piegorsch *| Manager, Network Engineering
>
> Boston University Information Services & Technology
> weylin@bu.edu | 617.353.8128 | bu.edu/tech <http://www.bu.edu/tech>
>
> *Listen. Learn. Lead.*
>
>
>
>
>
>
>
>
>
> *From:* Lucian-Ionut Lepadatu <lepadatu.lucian@gmail.com>
> *Sent:* Wednesday, July 26, 2023 9:47 AM
> *To:* rancid-discuss@www.shrubbery.net
> *Subject:* [rancid] rancid-run doesn't work from cron for panorama but
> works manually
>
>
>
> Hello,
>
> I am trying to make rancid pull the configs from a pair of Palo Alto
> Panorama devices.
>
> I've installed it on an Alma Linux 9 box with the default package from
> epel (rancid.x86_64 3.13-7.el9).
> I have in router.db a list of Palo Alto firewalls and a pair of Panorama
> devices. Login to all devices works.
>
> If I login with the rancid user and run rancid-run from the shell
> ([rancid@rancidbox ~]$ /usr/libexec/rancid/rancid-run) it gets the config
> for all devices.
> If I login as root and run rancid run as the rancid user
> ("[rancid@rancidbox ~]# sudo -u rancid /usr/libexec/rancid/rancid-run")
> it also works for all devices.
>
> But if I try to run it from cron as the user rancid, it works for the
> firewalls but not for panorama.
>
>
> The cron entry looks like this:
>
>
>
>
>
>
> *SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root
> HOME=/var/rancid 0 */8 * * * rancid /usr/libexec/rancid/rancid-run*
>
> In the rancid logs I see:
>
>
> *missed cmd(s): all commands End of run not found panlogin error: Error:
> TIMEOUT reached*
>
> I've managed to capture the .raw and .new files for a panorama device when
> rancid-run was executed from cron and looks like it connects to the device
> but it gets stuck:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[rancid@rancidbox ~]$ cat
> network-devices/configs/panorama_hostname.internal.domain.raw
> panorama_hostname.internal.domain spawn ssh -x -l rancid_login_user
> panorama_hostname.internal.domain
> *************************************************************************
> * *
> * WARNING! Access to this device is restricted *
> * to those individuals with specific *
> * permissions. If you are not an authorized user *
> * disconnect now. *
> * *
> * Any attempts to gain unauthorized access *
> * will be prosecuted to the fullest *
> * extent of the law. *
> * *
> *************************************************************************
> (rancid_login_user@panorama_hostname.internal.domain
> <rancid_login_user@panorama_hostname.internal.domain>) Password: Last
> login: Wed Jul 26 11:51:59 2023 from IP.XXX.YYY.ZZZ No entry for terminal
> type "network"; using dumb terminal settings. Number of failed attempts
> since last successful login: 0
> rancid_login_user@panorama_hostname.internal.domain(primary-active)
> <rancid_login_user@panorama_hostname.internal.domain(primary-active)>>
> rancid_login_user@panorama_hostname.internal.domain(primary-active)
> <rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set
> rancid_login_user@panorama_hostname.internal.domain(primary-active)
> <rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set
> cli rancid_login_user@panorama_hostname.internal.domain(primary-active)
> <rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set
> cli scripting -mode
> rancid_login_user@panorama_hostname.internal.domain(primary-active)
> <rancid_login_user@panorama_hostname.internal.domain(primary-active)>> set
> cli scripting -mode on
> rancid_login_user@panorama_hostname.internal.domain(primary-active)
> <rancid_login_user@panorama_hostname.internal.domain(primary-active)>>
> [rancid@rancidbox ~]$ [rancid@rancidbox ~]$ cat
> network-devices/configs/panorama_hostname.internal.domain.new
> #RANCID-CONTENT-TYPE: paloalto #*
>
>
>
> If I try to run run rancid instead of rancid-run from cron for panorama it
> works (needs a PATH added to be able to find the panlogin script but other
> than that it succeeds)
>
>
> *PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/libexec/rancid/:/usr/share/perl5/vendor_perl/rancid*
>
> *08 10 * * * rancid /usr/libexec/rancid/rancid -t paloalto
> -d panorama_hostname.internal.domain*
>
>
>
> I've also got a dump of all environment variables for the rancid user and
> put it in cron but same as before: rancid-run always fails for panorama but
> works for the firewalls. (it has the same content in the .raw file every
> time)
>
> I was thinking that since invoking rancid from cron works but rancid-run
> fails, it might have something to do with how control_rancid or rancid-fe
> invokes rancid but couldn't see anything obvious in those scripts
> that might cause this behaviour.
>
> I am not sure what exactly fails. I appreciate any pointers you might have.
>
> Thanks,
> Lucian Lepadatu
>
>