Age | Commit message (Collapse) | Author |
|
|
|
|
|
Some boxes like prokurwa may authenticate via SSH (proper), or may have
no auth on SSH and use terminal auth (improper)
Even if SSH is configured for terminal auth, in this change we attempt
to detect prompt, so that we won't expect terminal auth, even when
requested, if it is not presented.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
also fix warning about unused variable
|
|
Newer versions of ssh (>=5.4) support the -W option which makes the
use of netcat obsolete. Dropping netcat is useful is you want to
hop through a router/switch since they rarely have netcat support.
|
|
Tested, and is even better.
|
|
Some network equipment exists that does not want to play nice with ssh.
This adds the vars ssh_encryption and ssh_kex which can be used to
make tell oxidized to use certain encryption and key exchange so it
can connect to these devices.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When I try to run oxidized as a different user, I get permission errors
for oxidized tries to write debug logs (e.g. true-telnet) in current
working directory which in my case is not writable for the
non-privileged user. I think this can be improved by this change.
1) Why would you use CFG.input.debug?.to_s (which in this case will
always be ‘true’) as a prefix at all
2) let’s use the crash directory for the debug output, as we know this
is available and choose a more descriptive name
|
|
|
|
Some of my switches don’t expect any username on telnet. This change
allows me to leave the username field effectively empty for a switch.
|
|
|
|
|
|
Model: SAM1316-22 STU-C
ZyNOS version: V3.53(BVE.2)
|
|
Net::SSH::AuthenticationFailed on some Arista devices
|
|
used by ciscosmb and one of the wlan controllers. Thansk to
@SaaldjorMike for spotting
fixes #121
|
|
(new behavior in net-ssh 2.9.3)
|
|
|
|
If you have
input:
debug: session_log
Then session_log-telnet and session_log-ssh will be created showing what
the telnet/ssh saw. Helpful in model development.
|
|
ALU ISAM DSLAM does this
|
|
|
|
Looks like this in syslog:
Jul 11 21:05:53 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 22"
Jul 11 21:05:53 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 23"
Jul 11 21:05:54 ytti oxidized[9820]: 10.10.10.10 status no_connection, retry attempt 1
Jul 11 21:05:54 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 22"
Jul 11 21:05:54 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 23"
Jul 11 21:05:55 ytti oxidized[9820]: 10.10.10.10 status no_connection, retry attempt 2
Jul 11 21:05:55 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 22"
Jul 11 21:05:55 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 23"
Jul 11 21:05:56 ytti oxidized[9820]: 10.10.10.10 status no_connection, retry attempt 3
Jul 11 21:05:56 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 22"
Jul 11 21:05:56 ytti oxidized[9820]: 10.10.10.10 raised Errno::ENETUNREACH with msg "Network is unreachable - connect(2) for "10.10.10.10" port 23"
Jul 11 21:05:57 ytti oxidized[9820]: 10.10.10.10 status no_connection, retries exhausted, giving up
|
|
We needed this, because use of 'def inherited' not idempotent, in
Oxidized::Script use case we may need to restart Oxidized, even though
it's already loaded, and we won't get class names populated via 'def
inherited' anymore.
There are quite many optiosn to do this
a) filename == class name
+ no discovery/mapping, very clean
- user 'source' must give us model name in exactly right
capitalization
b) add 'self' at end of files, so eval will return class name
+ deterministic with arbitrary name
- DSL cruft, DSL being light is our main value
(can we do this via parent class? I couldn't find way)
c) load in new module via Module.module_eval X
+ module will contain only consts we just created
- but which one is the one we want?
- if we use eval, load errors won't tell line error
But at least now we got rid of 'inherited' methods and not adding too
much cruft, hope it's better than before.
|
|
Variables can now be fed to model from multiple locations. In order of
preference:
1) node (from source)
2) group
3) global
In a model vars should be accessed via 'vars' helper method though it is
not required. Helper method ignores nil values so care needs to taken
when designing model behaviour.
Support for node level vars is currently available on sql source via
'vars_map' configuration.
Following example populates node vars 'enable' and 'somevariable' from sql
columns 'var_enable' and 'var_somevariable'
sql:
adapter: sqlite
file: /home/aakso/.config/oxidized/sqrouter.db
table: nodes
map:
name: hostname
model: model
group: node_group
username: username
password: password
vars_map:
enable: var_enablepw
somevariable: var_somevariable
|
|
Waittime is how long it waits for /more/ input /after/ matching to RE.
This has been wrong always in Oxidized but only after changing default
timeout to 30, it became apparent.
When timeout was 5s, it just gave 5s delay to every command, now it
gives 30s delay.
|
|
Main benefits
a) we get support for system wide configs
b) we don't use symbols in config file, they're confusing to
non-rubyist
|
|
|
|
- add 'connnected?' method to ssh/telnet to query if or not we're
connected
- subclass OxidizedError from StandardError, all future OxidizedErrors
should be subclasssed from this.
|
|
|
|
If we stay connected on the device (model broken?) give up after
timeout, instead of sitting in the model forever
|
|
Crappy Cisco WLC 5k, much quality, very implementation, such secure
* stop pre_logout from expecting prompt by default
|
|
|
|
Outputs about what we've seen last in input class. Quite dirty in
telnet, so not sure I'm going to support it. Let's see if there is
use-case for it.
|
|
As I can't do IO#select on sinatra/puma to run it when I have time, I
have to run it on separate thread.
This means Nodes container needs to be thread safe, it now has ghetto
mutex locking, but I probably need to be be more focused what are the
external methods that can be called and wrap those in @mutex.synchronize
Provide also HTML UI not just JSON for ghetto UI to people who don't want to
integrate
|
|
|
|
Specifically AOS 6, vxworks era, not linux era 7
|
|
Now input ssh has configuration secure which is false by default,
meaning we don't care about changing keys. It breaks ssh security model
but rancid does it too.
Also input models error handling is now mostly moved to node.rb for
centralized handling + logging. With input models only defining which
errors they want to receover from.
|
|
|