Configure Backup Script
Horizon uses an SSH scripting engine to run the commands on devices to upload their configuration settings.
You must create a script for each device type whose configuration you want to back up, and save the scripts in ${OPENNMS_HOME}/etc/device-config.
Each script simulates an interactive session with the network device, and tells the device to create a backup of its configuration.
The backup is then sent to a TFTP server which is operated by either Horizon or a Minion.
Some devices may distinguish between different types of configuration settings (for example, startup configuration versus running configuration).
Horizon treats configuration types as arbitrary strings, and uses default when no configuration type is specified.
|
You will reference these scripts when you create a requisition for a device of each type.
SSH scripting engine
The scripting engine supports two commands:
-
send: …: Sends the given string to the device. -
await: …: Waits for a response from the device that matches the given string.
Scripts can reference the following variables by using ${varname} notation:
| Name | Description |
|---|---|
tftpServerIp |
TFTP server’s IP address |
tftpServerPort |
TFTP server’s port number |
filenameSuffix |
Suffix that must be appended to the file name before uploading. Horizon uses this additional suffix to identify incoming uploads. |
configType |
Configuration type.
If not specified, this is set to |
Uploaded configuration files should include filename extensions like .zip or .gz that specify their file type.
You must also append the script variable filenameSuffix to the file name; this indicates that the file is set to upload.
|
Example
This example script is for a Juniper SRX firewall. You will need to modify it to configure other device types.
await: >
send: start shell
await: %
send: cd /config
await: %
send: tftp ${tftpServerIp}
await: tftp>
send: put juniper.conf.gz juniper.conf.gz${filenameSuffix}
await: tftp>
send: exitVendor TFTP support
See your device manufacturer’s official documentation for details on their TFTP support. The following are links to popular device manufacturers:
There are several example scripts available in ${OPENNMS_HOME}/etc/examples/device-config:
| Script | Target Device | Description |
|---|---|---|
aruba-cx-cli.dcb |
Aruba OS-CX |
Retrieves configuration from an ArubaOS-CX device in CLI format. |
aruba-cx-json.dcb |
Aruba OS-CX |
Retrieves configuration from an ArubaOS-CX device in JSON format. |
aruba-os.dcb |
Aruba OS |
Retrieves configuration from an ArubaOS device. |
cisco-ios-running.dcb |
Cisco IOS |
Retrieves |
cisco-ios-startup.dcb |
Cisco IOS |
Retrieves |
juniper-junos-config-gz.dcb |
Juniper JunOS |
Retrieves compressed configuration from a Juniper JunOS device. |
juniper-junos-config-set.dcb |
Juniper JunOS |
Retrieves configuration from a Juniper Junos device in |
juniper-junos-config-txt.dcb |
Juniper JunOS |
Retrieves uncompressed configuration from a Juniper Junos device. |
paloalto-panos-config.dcb |
Palo Alto PanOS |
Retrieves configuration from a Palo Alto PAN-OS device. |
Configure DCB user accounts
We recommend that you limit the privileges of any user accounts used for configuration retrieval.
The following examples demonstrate how to configure a dcb user account, specify its password (Pa55w0rd), and limit its privileges to only configuration retrieval commands.
This script creates a dcb user account based on a custom user group (dcb-group).
The user group has limited privileges, which are passed on to the dcb account.
aruba-os# configure
aruba-os(config)# aaa authorization commands local
aruba-os(config)# aaa authorization group "dcb-group" 1 match-command "copy running-config tftp .*" permit
aruba-os(config)# aaa authorization group "dcb-group" 2 match-command "show running-config" permit
aruba-os(config)# aaa authorization group "dcb-group" 3 match-command "copy startup-config tftp .*" permit
aruba-os(config)# aaa authorization group "dcb-group" 4 match-command "show startup-config" permit
aruba-os(config)# aaa authentication local-user "dcb" group "dcb-group" password plaintext
New password for dcb: Pa55w0rd
Please retype new password for dcb: Pa55w0rd
aruba-os(config)# exitThis script creates a dcb user account based on a custom user group (dcb-group).
The user group has limited privileges, which are passed on to the dcb account.
aruba-os-cx# config
aruba-os-cx(config)# user-group dcb-group
aruba-os-cx(config-usr-grp-dcb-group)# permit cli command "copy startup-config tftp.*"
aruba-os-cx(config-usr-grp-dcb-group)# permit cli command "copy running-config tftp.*"
aruba-os-cx(config-usr-grp-dcb-group)# permit cli command "show running-config"
aruba-os-cx(config-usr-grp-dcb-group)# deny cli command ".*"
aruba-os-cx(config-usr-grp-dcb-group)# exit
aruba-os-cx(config)# user dcb group dcb-group password
Enter password: Pa55w0rd
Confirm password: Pa55w0rd
aruba-os-cx(config)#This script creates a dcb user account based on a custom privilege configuration:
cisco-ios#configure terminal
cisco-ios(config)#username dcb privilege 2 secret Pa55w0rd
cisco-ios(config)#privilege exec level 2 copy running-config
cisco-ios(config)#privilege exec level 2 copy startup-config
cisco-ios(config)#exitThis script creates a dcb user account based on a custom login class (dcb-class).
The login class has limited privileges, which are passed on to the dcb account.
admin@juniper-junos# set system login class dcb-class permissions all
[edit]
admin@juniper-junos# set system login class dcb-class allow-commands "(exit)|(start shell)|(show configuration.*)"
[edit]
admin@juniper-junos# set system login class dcb-class deny-commands .*
[edit]
admin@juniper-junos# set system login user dcb uid 1006
[edit]
admin@juniper-junos# set system login user dcb class dcb-class
[edit]
admin@juniper-junos# set system login user dcb authentication plain-text-password
New password: Pa55w0rd
Retype new password: Pa55w0rd
[edit]
admin@juniper-junos# exit