OverviewThis rancid 3.x module provides support for equipment running the Comware operating system. Principally, it is equipment like:
The earlier h3crancid modules for rancid 2.x have been in development since at least 2009, however in early 2011 I sorted out some long-standing problems, tidied them all up, and made the new versions available for wider testing. These rancid 3.x modules (renamed to cmwrancid) were first developed January 2015. I hope to have them rolled into the main rancid distribution one day. See 3Com/H3C/HP Networking support for rancid for more background information about the 3Com/H3C/HP etc. Tested modelsThe following models have been tested and are known to work to some degree:
An early version was also tested on Huawei NE80E v3r3 once, but I have no idea if it still works for that platform now, nor indeed for any other Huawei models. It is hoped that the following 'baseline' switches (intended to be web-manageable non-CLI only, but are comware underneath) can also be supported:
Since you didn't ask, there was no Comware 4, nor Comware 6 either. Blame Chinese numerology and superstition. Tested scenarios(Parts of this section need more detail) Both telnet and ssh methods work, so long as they are properly enabled and configured on the device and for the login user. Under Comware 3/5, the login user rancid uses needs to be at least priv. level 2, or be able to execute and supply a password to the "super" command to achieve priv. level 3. In particular, the "dir" commands need a user greater than at least level 1 on some platforms. Comware 3/5: User with priv level 2 or 3User has high enough privilege that it is not necessary to switch to "super" mode. device: l ocal-user rancidUserauthorization-attribute level 3.cloginrc: add user hostname rancidUseradd password hostname {rancidPass}add autoenable hostname {1}Comware 3/5: User with priv level 1User needs to execute switch to "super" mode.device: local-user rancidUserauthorization-attribute level 1.cloginrc: add user hostname rancidUseradd password hostname {rancidPass} {superPass}add autoenable hostname {0}There is a new roles regime under Comware 7 which is much more flexible (i.e., complicated). Rancid operates correctly if logging in to the device with a user in role network-admin (equivalent to level-15), which has all rights. (But not actually tested yet)It operates reasonably well if logging in to the device with a user in role network-operator (roughly equivalent to level-1), which has rights to execute all display commands. However, this role cannot execute certain other commands that rancid requires (including, strangely, the commands to turn paging off, and file system viewing commands).The recommended approach is to have rancid login with a specific user for that purpose, and create a role assigned to that user which permits rancid to do just what it needs to do. For example: role name rancid-role description Rancid role rule 1 permit command display * rule 2 permit command dir * rule 3 permit command undo terminal monitor rule 4 permit command screen-length disable quitlocal-user rancid class manage service-type ssh authorization-attribute user-role rancid-roleSSH usersFor some models (at least H3C S58xx and equivalents), you may find you need to specify the following in .cloginrc:add cyphertype ip.ad.re.ss {aes128-cbc}The default (on my system, at least) of "3des" does not appear to work. A symptom of this would be that a test of Ensure that there is already an entry in How To Install & ConfigureLocate the directory for your rancid installation. It will like be something like Install Modify cmw;script;rancid -t cmwcmw;login;cmwlogincmw;module;cmwcmw;inloop;cmw::inloopcmw;command;cmw::CommentOutput;display versioncmw;command;cmw::CommentOutput;display boot-loadercmw;command;cmw::CommentOutput;display startupcmw;command;cmw::CommentOutput;dir /allcmw;command;cmw::CommentOutput;dir /all unit2>flash:/cmw;command;cmw::CommentOutput;dir /all slot2#flash:/cmw;command;cmw::CommentOutput;dir /all unit3>flash:/cmw;command;cmw::CommentOutput;dir /all slot3#flash:/cmw;command;cmw::CommentOutput;dir /all unit4>flash:/cmw;command;cmw::CommentOutput;dir /all slot4#flash:/cmw;command;cmw::CommentOutput;dir /all unit5>flash:/cmw;command;cmw::CommentOutput;dir /all slot5#flash:/cmw;command;cmw::CommentOutput;dir /all unit6>flash:/cmw;command;cmw::CommentOutput;dir /all slot6#flash:/cmw;command;cmw::CommentOutput;dir /all unit7>flash:/cmw;command;cmw::CommentOutput;dir /all slot7#flash:/cmw;command;cmw::CommentOutput;dir /all unit8>flash:/cmw;command;cmw::CommentOutput;dir /all slot8#flash:/# Commands relating to the hardware:cmw;command;cmw::CommentOutput;display devicecmw;command;cmw::CommentOutput;display device manuinfocmw;command;cmw::CommentOutput;display fancmw;command;cmw::CommentOutput;display powercmw;command;cmw::CommentOutput;display poe powersupplycmw;command;cmw::CommentOutput;display poe temperature-protectioncmw;command;cmw::CommentOutput;display transceiver interface# Commands relating to authentication:cmw;command;cmw::CommentOutput;display clustercmw;command;cmw::CommentOutput;display domaincmw;command;cmw::CommentOutput;display local-usercmw;command;cmw::CommentOutput;display password-controlcmw;command;cmw::CommentOutput;display password-control supercmw;command;cmw::CommentOutput;display ssh server status# Commands relating to system state:cmw;command;cmw::CommentOutput;display irfcmw;command;cmw::CommentOutput;display xrn-fabriccmw;command;cmw::CommentOutput;display ftm topology-databasecmw;command;cmw::DisplayFib;display fibcmw;command;cmw::DisplayIPRoutes;display ip routing-tablecmw;command;cmw::CommentOutput;display ospfcmw;command;cmw::CommentOutput;display ospf briefcmw;command;cmw::CommentOutput;display vlan allcmw;command;cmw::CommentOutput;display lacp syscmw;command;cmw::CommentOutput;display link-aggregation summarycmw;command;cmw::CommentOutput;display link-aggregation verbosecmw;command;cmw::CommentOutput;display loopback-detectioncmw;command;cmw::CommentOutput;display mirror allcmw;command;cmw::CommentOutput;display ntp-service statuscmw;command;cmw::CommentOutput;display stp root# And the system config itself:cmw;command;cmw::DisplayCurrent;display current-configurationand use the type cmw in your If there are any commands you do not with to run in your environment, then simply omit them from the list above. If you want to run different sets of commands for different clusters of your devices, then make another copy of the list above, remove or add commands, change the " Your add user routername rancidadd enablecmd routername {super}add cyphertype sipbs-dr.net {aes128-cbc}Platform SelectionI have written a platform selection feature for rancid, which add platform routername cmwenablecmd and maybe eventually permit a general purpose clogin command to be used for many similarish platforms, but which is sensitive to variations across those platform and acts slightly differently accordingly. This is subject to change.Platform notesFor at least MA6500, you will need to explicitly specify a different enacmd: add enablecmd routername {enable}Caveats
Problems / TestingIf the scripts don't work for you, then please get in touch with details. I may ask you to provide some debug output; the following commands would be useful: env NOPIPE=YES PATH=${PATH}:/path/to/ranciddir rancid -t cmw -d ip.ad.re.ss.raw output, with sensitive data like passswords, secrets and community strings removed.Also: expect /path/to/cmwlogin -d -c 'dir; display version' ip.ad.re.ssCredits Thanks particularly to Ugo Bellavance who has patiently tested various versions and sent me debug output and commentary, and to Alexander Belokopytov who gave me remote access to some equipment which proved useful at one point. NotesNothing to note. FilesSee attachments. StatusHoping to have it incorporated into the Rancid 3.x distribution at some point. |
