Scripting retrieval of the config file

Unanswered Question
Feb 11th, 2008

Just in case someone else needs it, this works for me on AsyncOS 5.5:

wget --no-check-certificate -O config.xml "https://your.ironport.box/login?username=admin&password=your_password&action:Login=Login&referrer=https
%3A%2F%2Fyour.ironport.box%2Fsystem_administration%2Fconfiguration_file?acti
on=Save%26operation=download"
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
si_ironport Tue, 02/12/2008 - 20:10

Heres a quick perl script i use to perform config backups (with passwords):


#!/usr/bin/perl
#
# 2006041000 Simon Howard Quick script to backup Ironport configurations
#

@ironports = ("ironport1.example.net","ironport2.example.net","ironport3.example.net");

foreach(@ironports) {
my $host = $_;
my $backupdir = "/var/spool/archive/$host";
my $detail = `ssh $_ \"saveconfig 1\"`;
my @detailsplit = split /\n/,$detail;
$_ = $detailsplit[0];
if (/^The file (.*) has been saved in the$/) {
my $ret = system("scp $host:/configuration/$1 $backupdir");
if ($ret != 0) {
print "Error: backing $host config file '$1' to $backupdir $?";
} else {
print "Success: backing up $host config file '$1' to $backupdir";
}
}

# remove any configs older than 60 days
`find $backupdir -mtime +60 -exec rm -rf {} \\;`;
}

print "Ironport config backup complete";
Nicolas Melay Tue, 02/12/2008 - 14:01

Right. Contrary to showconfig, mailconfig works all right with SSH, but that's not a very straightforward way to retrieve the config file.

I just saw that the following works however :

echo -e "showconfig\ny" | ssh [email protected] | sed -n "/\?xml/,/\/config/p"
Rayman_Jr Wed, 02/13/2008 - 12:26

It's always good to have backup config, but unfortunately 'loadconfig' is not supported in central management environment (cluster mode).

For cluster environments config backups are just a archive to see old settings, those can't be used for disaster recovery

meyd45_ironport Thu, 05/08/2008 - 11:08

Complain (loudly) to you SE and Customer Support about the lack of loadconfig/saveconfig for clusters.

The lack of this feature means that anything other than small changes is overly time consuming. Adhering to Change Control procedures is also made more painful because there is no quick roll-back.

buttbutt_ironport Wed, 10/01/2008 - 18:54

How do you delete the old configs? rm isn't allowed and I was told by my se that it won't automatically clear out old copies. Was hoping to find some equivalent so after the scp I could just delete the appliance copies.

martinc8306 Thu, 10/02/2008 - 14:46

This can also be achieved using expect scripts as per below

#!/usr/bin/expect -f
set password [lrange $argv 0 0]
set ipaddr [lrange $argv 1 1]
set scriptname [lrange $argv 2 2]
set arg1 [lrange $argv 3 3]
#set timeout -1
spawn ssh -p 22 expect@$ipaddr $scriptname $arg1
match_max 100000
expect "*?assword:*"
send -- "$password\r"
# send blank line (\r)
#send -- "\r"
expect eof


Put the above into a expect script and run a daily or weekly cron

/usr/bin/expect /tmp/ironlogin.exp password host mailconfig emailaddress

Donald Nash Fri, 10/03/2008 - 17:25

You can login via ftp and use the delete command.

And by doing so expose your admin password over the network, since FTP uses plaintext authentication. It really annoys me that this is the only way to delete files. I understand that they want to keep you from hurting yourself, but there must be some way to make this work via SSH.

Not griping at you, meyd45, just at the situation.
Eisenhafen Thu, 03/19/2009 - 13:55

Complain (loudly) to you SE and Customer Support about the lack of loadconfig/saveconfig for clusters. 

The lack of this feature means that anything other than small changes is overly time consuming. Adhering to Change Control procedures is also made more painful because there is no quick roll-back.


Hi, has anyone ever made a script able to backup a cluster config? Meaning remove one machine from the cluster and backup that config and join the cluster again - automated.

I would be be very thankful for such information. We just had the case, that both cluster members died at the same time and we were left with nothing to restore quickly.
dkoopman_ironport Sun, 07/19/2009 - 00:17

Here's something I put together:

#!/usr/bin/expect

set timeout 30

spawn ssh [email protected]
expect_after eof { exit 0 }

## interact with SSH
expect {
"yes/no" { send "yes\r" }
-re ".assword:" { send "PASSWORD\r" }
}

expect "> " { send "showconfig\r" }
expect "> " { send "Y\r" }
expect "Press Any Key For More" { send "\r" }
set timeout 2
while 1 {
expect {
"Press Any Key For More" { send "\r" }
timeout break
}
}

expect "> " { send "exit\r" }


Because running a cluster, the config backups cannot be restored. This is due to a bug , they had to remove the cluster config file restore feature.

It's still useful, though. Imagine you made a change, and it messed things up, and you weren't totally sure what changed. You could diff the last known good config with the broken config, and tell what changed.

At our shop, we have the IronPort system log going to syslog, and we use Swatch to watch it and it kicks off a fetch of the configuration, after it changes. Like this:
1. User makes a change and commits
2. IronPort syslogs the change
3. Syslog writes the log entry that it changed to the log file
4. Swatch sees the log file entry, and feeds the line to another program that fetches the cluster configuration and stores it.
Andrew Wurster Tue, 07/21/2009 - 18:24

I don't use wget so can't test it out unfortunately. be careful with WGET though - I've seen a lot of customers and other random folks hit a software defect in AsyncOS or even their own script and essentially DoS the box. Be careful whatever you do!

Remember that the "configuration" backup file is NOT a flat file but rather a manually generated thing collecting from different system files.

So using this mentality, you have to A) login and generate it and then B) copy the file off the box. (Unless ofcourse you are using 'showconfig' which does so and streams it to stdout for you).

One such tool that will simplify this and cut a few lines (and security risks) out of your expect and other shell scripts are ssh-keys. Check em out!

Here's a KB I wrote a ways back to show some of my own preferred methods:
http://tinyurl.com/rodtu

YMMV

Andrew

dkoopman_ironport Wed, 07/22/2009 - 20:26

So, SSH keys allows you to run a single command, for the commands that let you execute all in one line.

First, on a linux box:

ssh-keygen -b 1024 -t rsa

Answer the questions, don't use a password, and you'll have a id_rsa and id_rsa.pub file.
cat id_rsa.pub


Get on your IronPort CLI, and issue a "sshconfig" command, follow the prompts to enter the public key.

Now you can run a command like this in a single line:

ssh -i /path/to/private_key/id_rsa [email protected] "mailconfig [email protected] yes"


This saves you from needing to use Expect scripting to enter your password. Ok, that's nice.

FEATURE REQUEST: make it so ALL commands can be executed without going through prompts. In particular: showconfig. It should print out the whole config, and not stop for "-Any key for more-".

I don't want to email the config to myself, I want to just grab it.

From this post, I see a method to save a config on the IronPort, get the filename it created, then SCP it back to my machine. That would work, except for one problem: The user I'm using to grab the config should be a Read Only Operator, b/c it's sitting on a box used by many administrators. That leads me to another problem: mailconfig doesn't work, unless you're an Operator. But, showconfig does. Minus the User and a few other sections. The RO Operator should be able to download the complete config file!!!! So should Operator. I realize there is a security conflict with this: Operators could try to crack the password hashes of administrators and escalate their priviledge. My counter to that is: admins should use strong passwords. And, the trade off of needing to store an Admin user/pass on a backup server, just to fetch a copy of the full configuration is a bigger security risk!
Andrew Wurster Wed, 07/22/2009 - 22:24

I know exactly what you mean. That is an awesome feature request IMHO (although a huge task). As always - your account team will be best for translating these ideas into valid enhancement requests.

I really like this one though, coming with some Cisco IOS/ASA and general Unix command line experience. The menu driven stuff can be rough!

I like your suggestions - keep them coming!

Andrew

steven_geerts Fri, 08/07/2009 - 19:44

It's still useful, though. Imagine you made a change, and it messed things up, and you weren't totally sure what changed. You could diff the last known good config with the broken config, and tell what changed. 


Great idea! +1 thank you!

Steven

Actions

This Discussion