cmwrancid
Overview
This rancid 3.x module provides support for equipment running the Comware operating system. Principally, it is equipment like:
3Com: Comware 3 and Comware 5 product families, including SuperStack 4 (5500-SI/EI, 5500G), 4210, 4500, 4800G, 7700, 8800 ...
H3C products
HP Networking: ('A' & some 'E' portfolio, post-2010 3Com acquisition)
The earlier h3crancid modules for rancid 2.x have been in development since at least 2009, however in early 2011 I sorted out some long-standing problems, tidied them all up, and made the new versions available for wider testing. These rancid 3.x modules (renamed to cmwrancid) were first developed January 2015.
I hope to have them rolled into the main rancid distribution one day.
See 3Com/H3C/HP Networking support for rancid for more background information about the 3Com/H3C/HP etc.
Tested models
The following models have been tested and are known to work to some degree:
3Com 7750 (Comware 3)
3Com 5500-EI/SI / HP E5500-EI/SI (Comware 3)
3Com 5500G (Comware 3)
3Com 4200G (Comware 3)
3Com 4210 (Comware 3)
3Com 4800G / H3C S5500 / HP A5500 EI/HI (Comware 5)
3Com 4210G (Comware 5)
H3C S3100 (Comware 3)
H3C S5600 (Comware 3)
H3C S7506 (Comware 5)
H3C S7906E (Comware 5)
H3C S5820X / HP A5800-48G (Comware 5)
H3C S5800 (Comware 5)
H3C S3610 (Comware 5)
H3C MSR30-60 (Comware 5)
H3C/HP S5120 (Comware 5)
Huawei MA5600 (Comware 5)
HP A5120
HP A5820
HP A5900 (Comware 7)
An early version was also tested on Huawei NE80E v3r3 once, but I have no idea if it still works for that platform now, nor indeed for any other Huawei models.
It is hoped that the following 'baseline' switches (intended to be web-manageable non-CLI only, but are comware underneath) can also be supported:
HP 1910
Since you didn't ask, there was no Comware 4, nor Comware 6 either. Blame Chinese numerology and superstition.
Tested scenarios
(Parts of this section need more detail)
Both telnet and ssh methods work, so long as they are properly enabled and configured on the device and for the login user.
Under Comware 3/5, the login user rancid uses needs to be at least priv. level 2, or be able to execute and supply a password to the "super" command to achieve priv. level 3. In particular, the "dir" commands need a user greater than at least level 1 on some platforms.
Comware 3/5: User with priv level 2 or 3
User has high enough privilege that it is not necessary to switch to "super" mode.
device:
local-user rancidUser
authorization-attribute level 3
.cloginrc:
add user hostname rancidUser
add password hostname {rancidPass}
add autoenable hostname {1}
Comware 3/5: User with priv level 1
User needs to execute switch to "super" mode.
device:
local-user rancidUser
authorization-attribute level 1
.cloginrc:
add user hostname rancidUser
add password hostname {rancidPass} {superPass}
add autoenable hostname {0}
Comware 7
There is a new roles regime under Comware 7 which is much more flexible (i.e., complicated).
Rancid operates correctly if logging in to the device with a user in role network-admin (equivalent to level-15), which has all rights. (But not actually tested yet)
It operates reasonably well if logging in to the device with a user in role network-operator (roughly equivalent to level-1), which has rights to execute all display commands. However, this role cannot execute certain other commands that rancid requires (including, strangely, the commands to turn paging off, and file system viewing commands).
The recommended approach is to have rancid login with a specific user for that purpose, and create a role assigned to that user which permits rancid to do just what it needs to do.
For example:
role name rancid-role
description Rancid role
rule 1 permit command display *
rule 2 permit command dir *
rule 3 permit command undo terminal monitor
rule 4 permit command screen-length disable
quit
local-user rancid class manage
service-type ssh
authorization-attribute user-role rancid-role
SSH users
For some models (at least H3C S58xx and equivalents), you may find you need to specify the following in .cloginrc:
add cyphertype ip.ad.re.ss {aes128-cbc}
The default (on my system, at least) of "3des" does not appear to work. A symptom of this would be that a test of ssh -x -c 3des -l user ip.ad.re.ss fails with key_verify failed for server_host_key. I also got this when I upgraded a 3Com 4800G from CMW520-R2202P15-S168 to S4800G-CMW520-R2208-S168.
Ensure that there is already an entry in ~/.ssh/known_hosts for the host (easily achieved by performing a manual ssh first as the user you run rancid as), or set StrictHostKeyChecking=no in ssh_config or equivalent. It does not appear to be possible to pass arbitrary command-line arguments to the ssh invocation using .cloginrc.
How To Install & Configure
Locate the directory for your rancid installation. It will like be something like /usr/local/rancid.
Install cmwlogin into the bin/ subdirectory, and cmw.pm into lib/.
Modify etc/rancid.types.conf to add the commands and routines to execute:
# Comware devices
cmw;script;rancid -t cmw
cmw;login;cmwlogin
cmw;module;cmw
cmw;inloop;cmw::inloop
cmw;command;cmw::CommentOutput;display version
cmw;command;cmw::CommentOutput;display boot-loader
cmw;command;cmw::CommentOutput;display startup
cmw;command;cmw::CommentOutput;dir /all
cmw;command;cmw::CommentOutput;dir /all unit2>flash:/
cmw;command;cmw::CommentOutput;dir /all slot2#flash:/
cmw;command;cmw::CommentOutput;dir /all unit3>flash:/
cmw;command;cmw::CommentOutput;dir /all slot3#flash:/
cmw;command;cmw::CommentOutput;dir /all unit4>flash:/
cmw;command;cmw::CommentOutput;dir /all slot4#flash:/
cmw;command;cmw::CommentOutput;dir /all unit5>flash:/
cmw;command;cmw::CommentOutput;dir /all slot5#flash:/
cmw;command;cmw::CommentOutput;dir /all unit6>flash:/
cmw;command;cmw::CommentOutput;dir /all slot6#flash:/
cmw;command;cmw::CommentOutput;dir /all unit7>flash:/
cmw;command;cmw::CommentOutput;dir /all slot7#flash:/
cmw;command;cmw::CommentOutput;dir /all unit8>flash:/
cmw;command;cmw::CommentOutput;dir /all slot8#flash:/
# Commands relating to the hardware:
cmw;command;cmw::CommentOutput;display device
cmw;command;cmw::CommentOutput;display device manuinfo
cmw;command;cmw::CommentOutput;display fan
cmw;command;cmw::CommentOutput;display power
cmw;command;cmw::CommentOutput;display poe powersupply
cmw;command;cmw::CommentOutput;display poe temperature-protection
cmw;command;cmw::CommentOutput;display transceiver interface
# Commands relating to authentication:
cmw;command;cmw::CommentOutput;display cluster
cmw;command;cmw::CommentOutput;display domain
cmw;command;cmw::CommentOutput;display local-user
cmw;command;cmw::CommentOutput;display password-control
cmw;command;cmw::CommentOutput;display password-control super
cmw;command;cmw::CommentOutput;display ssh server status
# Commands relating to system state:
cmw;command;cmw::CommentOutput;display irf
cmw;command;cmw::CommentOutput;display xrn-fabric
cmw;command;cmw::CommentOutput;display ftm topology-database
cmw;command;cmw::DisplayFib;display fib
cmw;command;cmw::DisplayIPRoutes;display ip routing-table
cmw;command;cmw::CommentOutput;display ospf
cmw;command;cmw::CommentOutput;display ospf brief
cmw;command;cmw::CommentOutput;display vlan all
cmw;command;cmw::CommentOutput;display lacp sys
cmw;command;cmw::CommentOutput;display link-aggregation summary
cmw;command;cmw::CommentOutput;display link-aggregation verbose
cmw;command;cmw::CommentOutput;display loopback-detection
cmw;command;cmw::CommentOutput;display mirror all
cmw;command;cmw::CommentOutput;display ntp-service status
cmw;command;cmw::CommentOutput;display stp root
# And the system config itself:
cmw;command;cmw::DisplayCurrent;display current-configuration
and use the type cmw in your router.db.
If there are any commands you do not with to run in your environment, then simply omit them from the list above. If you want to run different sets of commands for different clusters of your devices, then make another copy of the list above, remove or add commands, change the "cmw;" at the start of each line to something else (e.g., "cmw-no-transceiver") and change the type for the relevant devices to the new name in your router.db.
Your .cloginrc entries should specify the appropriate enable command:
add user routername rancid
add enablecmd routername {super}
add cyphertype routername {aes128-cbc}
Platform Selection
I have written a platform selection feature for rancid, which cmwlogin uses. For your Comware devices, also set the following in ~/.cloginrc:
add platform routername cmw
which will automatically select values like enablecmd and maybe eventually permit a general purpose clogin command to be used for many similarish platforms, but which is sensitive to variations across those platform and acts slightly differently accordingly. This is subject to change.
Platform notes
For at least MA6500, you will need to explicitly specify a different enacmd:
add enablecmd routername {enable}
Caveats
It is no use for older 3Com SuperStack 3/II/etc products;
For Comware 3 devices (e.g., 3Com 5500), there appears to be no way to turn off paging on a per-session basis. You can turn it off per-vty, but that affects other users too. In Comware 5, there is a per-session "screen-length disable" command;
Problems / Testing
If the scripts don't work for you, then please get in touch with details. I may ask you to provide some debug output; the following commands would be useful:
env NOPIPE=YES PATH=${PATH}:/path/to/ranciddir rancid -t cmw -d ip.ad.re.ss
and send me the .raw output, with sensitive data like passswords, secrets and community strings removed.
Also:
expect /path/to/cmwlogin -d -c 'dir; display version' ip.ad.re.ss
Credits
Thanks particularly to Ugo Bellavance who has patiently tested various versions and sent me debug output and commentary, and to Alexander Belokopytov who gave me remote access to some equipment which proved useful at one point.
Notes
Nothing to note.
Files
See attachments.
Status
Hoping to have it incorporated into the Rancid 3.x distribution at some point.