Reply
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3125
Solutions: 945
Contributions: 16

EdgeOS CLI Primer (part 3)

[ Edited ]

This post is a continuation of part 2: CLI Primer (part 2)

- Using config management:

In a previous post we used "save" to save the active configuration to disk, but you can also use the "save" to back-up a config to a different file or even off to a remote server. For example:

ubnt@RTR# save ?                                                                 
Possible completions:
Save to system config file
Save to file on local machine
scp://:@/ Save to file on remote machine
ftp://:@/ Save to file on remote machine
tftp:/// Save to file on remote machine
ubnt@RTR# save tftp://10.1.0.15/rtr-config.boot                                 
Saving configuration to 'tftp://10.1.0.15/rtr-config.boot'...
######################################################################## 100.0%
Done

One real example of how I used this recently was when I was going to change an ipsec tunnnel into a openvpn tunnel. First I saved a backup with my working ipsec tunnel configuration:

ubnt@RTR# save config.boot-ipsec                                                
Saving configuration to '/config/config.boot-ipsec'...
Done

Note, this is just a backup. If I was now to reboot it would still boot from the default /config/config.boot

After having deleted the ipsec config and half way through the other, something came up and I need to put back the old config. So I just did:

ubnt@RTR# load config.boot-ipsec                                                
Loading configuration from '/config/config.boot-ipsec'...

Load complete. Use 'commit' to make changes active.

ubnt@RTR# commit

ubnt@RTR# save; exit
Saving configuration to '/config/config.boot'...
Done
exit
ubnt@RTR:~$


- commit-archive

But what if I want to automatically make a remote backup after every commit?

ubnt@RTR# set system config-management commit-archive location ?              
Possible completions:
Uniform Resource Identifier

Detailed information:

"scp://:@/
"

 

"ftp://:@/"

 

"tftp:///"

 

ubnt@RTR# set system config-management commit-archive location tftp://10.1.0.15/RTR

ubnt@RTR# commit
Archiving config...
tftp://10.1.0.15/RTR OK

On the remote tftp server I see that for each commit it saves a copy with the hostname & date:

stig@uffda:/tftpboot/RTR$ ls -l
total 8
-rw------- 1 nobody nogroup 908 Aug 17 17:19 config.boot-RTR.20120817_171932
-rw------- 1 nobody nogroup 874 Aug 17 17:20 config.boot-RTR.20120818_002046


- commit-revisions

Instead of remote-archive (or in additions to) you could decide you want to keep N revisions of the config locally:

ubnt@RTR# set system config-management commit-revisions 50

ubnt@RTR# commit

Example:

ubnt@RTR# set system login user joe authentication plaintext-password secret   

ubnt@RTR# commit

ubnt@RTR# save; exit
Saving configuration to '/config/config.boot'...
Done
exit

ubnt@RTR:~$ show system commit
0 2012-08-17 18:32:13 by ubnt via cli
commit
1 2012-08-17 18:31:52 by ubnt via cli
commit
2 2012-08-17 18:31:51 by root via init
commit

Now if I want to see what changed at revision 0:

ubnt@RTR:~$ show system commit diff 0

+user joe {
+ authentication {
+ encrypted-password $1$CWVzYggs$NyJXxC3S572rfm6pY8ZMO.
+ plaintext-password ""
+ }
+ level admin
+}

If I want to see the entire configuration file for revision 0:

ubnt@RTR:~$ show system commit file 0

What if I want to add a comment to my commit?

ubnt@RTR# set system login user joe level operator                              

ubnt@RTR# commit comment "change joe from admin to op"

ubnt@RTR# save; exit
Saving configuration to '/config/config.boot'...
Done
exit

Now when we use "show system commit we also get the comment:

ubnt@RTR:~$ show system commit                                                  
0 2012-08-17 18:44:41 by ubnt via cli
change joe from admin to op
1 2012-08-17 18:34:01 by ubnt via cli
commit
2 2012-08-17 18:32:13 by ubnt via cli
commit
3 2012-08-17 18:31:52 by ubnt via cli
commit
4 2012-08-17 18:31:51 by root via init
commit


- commit-confirm

When working remotely on a router, certain changes (e.g. firewall or nat rule) can be something leave you in a state where you're cut off from the router and have to drive over to it and reboot it. So when making risky changes it's a good idea to use "commit-confirm" and then "confirm" once you know the changes are good. For example:

ubnt@RTR:~$ configure                                                           

ubnt@RTR# set firewall name WAN_IN rule 50 action drop

ubnt@RTR# set firewall name WAN_IN rule 50 destination address 172.16.0.0/16

ubnt@RTR# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed?

Now when we see that things are ok, we can:

ubnt@RTR# confirm                                                               


You can also specific the number of minutes to wait, but be sure to remember to also do the "confirm" as it's a common error to forget and suddenly be surprised by:

ubnt@RTR# commit-confirm 1                                                      
commit confirm will be automatically reboot in 1 minutes unless confirmed
Proceed?

ubnt@RTR#
Broadcast message from root@RTR (Mon Aug 20 14:00:06 2012):

The system is going down for reboot NOW!
INIT: Switching to runlevel: 6
INIT: Stopping routing services...zebra...done.
Removing all Quagga Routes.
EdgeMAX Router Software Development
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3125
Solutions: 945
Contributions: 16

Re: EdgeOS CLI Primer (part 3)

Another feature of commit-revisioning is that you can rollback to a specific commit. For example if I look at "show system commit" and decide the last 4 commits by "zippy" are crap, you can rollback to commit 4:
ubnt@RTR:~$ show system commit 
0 2012-08-21 14:46:41 by zippy via cli
fix bgp policy maps
1 2012-08-21 14:45:59 by zippy via cli
commit
2 2012-08-21 14:45:33 by zippy via cli
fix port forwarding
3 2012-08-21 14:45:15 by zippy via cli
fix firewall
4 2012-08-21 14:44:29 by ubnt via cli
commit
5 2012-08-21 14:21:15 by ubnt via cli
add port forward for port 2222 to build-server
6 2012-08-21 14:20:24 by ubnt via cli
add dmz interface to eth2
7 2012-08-21 14:19:53 by ubnt via cli
add ipsec tunnel to valhalla
8 2012-08-21 14:07:18 by ubnt via cli
add firewall for WAN_IN
9 2012-08-21 14:06:37 by ubnt via cli
add user bababoey
10 2012-08-21 14:04:47 by ubnt via cli
commit
11 2012-08-21 14:04:46 by root via init
commit

ubnt@RTR# rollback 4
Proceed with reboot?

Broadcast message from root@RTR (ttyS0) (Tue Aug 21 15:09:12 2012):

The system is going down for reboot NOW!


BTW, the reason why this wasn't included in the original post above is that while writing it up I found a bug. Now the bug is fixed, but don't try this on the code you have. Icon Redface
EdgeMAX Router Software Development
Reply