[rancid] rancid-run doesn't work from cron for panorama but works manually

Lucian-Ionut Lepadatu lepadatu.lucian at gmail.com
Thu Jul 27 11:27:38 UTC 2023 

Indeed, the cron file that I've shared previously was the default one from
the rpm /etc/cron.d/rancid.
I've already tried the rancid user specific crontab but that behaves
exactly the same.
Given the format of the output from the .raw file (*set cli scripting**-mode
on* for example is not on a single line), maybe rancid is having trouble
parsing the output; I've tried adjusting the TERM and COLUMNS env vars and
even changed the hostname to something very short but without success.
That's what's been puzzling me: on one hand it looks like an env issue but
on the other even when run from the rancid user's crontab it still does not
work and I cannot pinpoint what exactly fails.

Thanks,
Lucian Lepadatu

On Thu, Jul 27, 2023 at 6:02 AM Piegorsch, Weylin William <weylin at bu.edu>
wrote:

> From the CRON file you shared, it looks like you’re executing this in the
> crontab in /etc?  I find it more reliable to execute system management
> tasks there (logrotate; updatedb; and so forth), but for rancid’s
> environment to be setup correctly when using rancid’s personal CRON file.
>
> “sudo su - rancid ; crontab -e”
>
>
>
> Just remember that in a user’s crontab you don’t need to specify the user.
>
>
>
>
>
>
>
>
>
>
>
> [image: signature_1593189312]
>
>
>
> *Weylin Piegorsch *|  Manager, Network Engineering
>
> Boston University Information Services & Technology
> weylin at bu.edu | 617.353.8128 | bu.edu/tech <http://www.bu.edu/tech>
>
> *Listen. Learn. Lead.*
>
>
>
>
>
>
>
>
>
> *From:* Lucian-Ionut Lepadatu <lepadatu.lucian at gmail.com>
> *Sent:* Wednesday, July 26, 2023 9:47 AM
> *To:* rancid-discuss at www.shrubbery.net
> *Subject:* [rancid] rancid-run doesn't work from cron for panorama but
> works manually
>
>
>
> Hello,
>
> I am trying to make rancid pull the configs from a pair of Palo Alto
> Panorama devices.
>
> I've installed it on an Alma Linux 9 box with the default package from
> epel (rancid.x86_64 3.13-7.el9).
> I have in router.db a list of Palo Alto firewalls and a pair of Panorama
> devices. Login to all devices works.
>
> If I login with the rancid user and run rancid-run from the shell
> ([rancid at rancidbox ~]$ /usr/libexec/rancid/rancid-run) it gets the config
> for all devices.
> If I login as root and run rancid run as the rancid user
> ("[rancid at rancidbox ~]# sudo -u rancid /usr/libexec/rancid/rancid-run")
> it also works for all devices.
>
> But if I try to run it from cron as the user rancid, it works for the
> firewalls but not for panorama.
>
>
> The cron entry looks like this:
>
>
>
>
>
>
> *SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root
> HOME=/var/rancid 0 */8 * * * rancid /usr/libexec/rancid/rancid-run*
>
> In the rancid logs I see:
>
>
> *missed cmd(s): all commands End of run not found panlogin error: Error:
> TIMEOUT reached*
>
> I've managed to capture the .raw and .new files for a panorama device when
> rancid-run was executed from cron and looks like it connects to the device
> but it gets stuck:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[rancid at rancidbox ~]$ cat
> network-devices/configs/panorama_hostname.internal.domain.raw
> panorama_hostname.internal.domain spawn ssh -x -l rancid_login_user
> panorama_hostname.internal.domain
> *************************************************************************
>  *                                                                       *
>  *              WARNING! Access to this device is restricted             *
>  *                   to those individuals with specific                  *
>  *             permissions. If you are not an authorized user            *
>  *                             disconnect now.                           *
>  *                                                                       *
>  *                 Any attempts to gain unauthorized access              *
>  *                     will be prosecuted to the fullest                 *
>  *                             extent of the law.                        *
>  *                                                                       *
>  *************************************************************************
> (rancid_login_user at panorama_hostname.internal.domain
> <rancid_login_user at panorama_hostname.internal.domain>) Password: Last
> login: Wed Jul 26 11:51:59 2023 from IP.XXX.YYY.ZZZ No entry for terminal
> type "network"; using dumb terminal settings. Number of failed attempts
> since last successful login: 0
> rancid_login_user at panorama_hostname.internal.domain(primary-active)
> <rancid_login_user at panorama_hostname.internal.domain(primary-active)>>
> rancid_login_user at panorama_hostname.internal.domain(primary-active)
> <rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set
> rancid_login_user at panorama_hostname.internal.domain(primary-active)
> <rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set
> cli rancid_login_user at panorama_hostname.internal.domain(primary-active)
> <rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set
> cli scripting -mode
> rancid_login_user at panorama_hostname.internal.domain(primary-active)
> <rancid_login_user at panorama_hostname.internal.domain(primary-active)>> set
> cli scripting -mode on
> rancid_login_user at panorama_hostname.internal.domain(primary-active)
> <rancid_login_user at panorama_hostname.internal.domain(primary-active)>>
> [rancid at rancidbox ~]$ [rancid at rancidbox ~]$ cat
> network-devices/configs/panorama_hostname.internal.domain.new
> #RANCID-CONTENT-TYPE: paloalto #*
>
>
>
> If I try to run run rancid instead of rancid-run from cron for panorama it
> works (needs a PATH added to be able to find the panlogin script but other
> than that it succeeds)
>
>
> *PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/libexec/rancid/:/usr/share/perl5/vendor_perl/rancid*
>
> *08 10 * * * rancid /usr/libexec/rancid/rancid -t paloalto
> -d panorama_hostname.internal.domain*
>
>
>
> I've also got a dump of all environment variables for the rancid user and
> put it in cron but same as before: rancid-run always fails for panorama but
> works for the firewalls. (it has the same content in the .raw file every
> time)
>
> I was thinking that since invoking rancid from cron works but rancid-run
> fails, it might have something to do with how control_rancid or rancid-fe
> invokes rancid but couldn't see anything obvious in those scripts
> that might cause this behaviour.
>
> I am not sure what exactly fails. I appreciate any pointers you might have.
>
> Thanks,
> Lucian Lepadatu
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20230727/2aa1d2c6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1595 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20230727/2aa1d2c6/attachment.jpg>

More information about the Rancid-discuss mailing list