NetDevices currently expects NetDevice objects to be physical assets. We need a way to identify a device as virtual or physical so that we can begin to utilize VRRP/HSRP/NSRP or VIP hostnames within Trigger. This is especially important for firewalls and load-balancers in active/passive configuration.

The rough 10,000ft idea is to have an additional attribute that designates a device as virtual, and to have some special methods like .is_virtual() or .is_physical().

I see in settings.py that Arista is known not to work w/SSH async yet. Can you elaborate on what needs to be done? It looks like it gets stuck in an event loop. I tried the async "Slightly Advanced Examples" from the docs.

On a positive note, the async examples work fine with Force10 S-series, so I can do some more testing with Force10 and trigger. I'd like to help improve Arista and Force10 support in trigger.

ACL.output('ios') honors 'ios' format:

>>> print '\n'.join(acl.output('ios')[-3:])
!!! Deny All Else
!
access-list 2217 deny ip any any

But `Term.output('ios') does not and actually outputs 'ios_named' format:

>>> print '\n'.join(acl.terms[-1].output('ios'))
!
!!! Deny All Else
!
deny ip any any

The current grouping algorithm is hard-coded to a pattern match on the hostname of the device. That is why I did factor it out to the group() function as you determined, so that we can make this something that can be tweaked in the settings.

Let's move this criteria to a callable that can be found within settings.py.

In the current master tarball conf/dot_gorc.example, replace [initial_commands] with [init_commands] so that the example works correctly.

Trigger should be able to execute commands on IOS-like devices (like Arista, Brocade VDX) over SSH. Currently this is only supported over telnet.

A firewall term with port configured (which will match either source-port or destination-port) will return a false positive match if the other criteria match.

Arista and Brocade VDX platforms do not send along a prompt when connecting without a PTY, which means they are better served using SSH "exec" vs "shell". Fix support for these platforms to utilize "exec" when connecting asynchronously using the .connect() method.

This work will be non-trivial. The thought goes as follows:

• Fork trigger.acl
• Put all new ACL-related changes into this project; backport them into trigger.acl in the near-term as necessary
• Once this project is stable, remove it from Trigger core
• Replace core functionality with "contrib.acl" functionality that is optional and can be toggled in the global settings.

% gong abc-bb1
Matched 'abc-bb1-net.aol.com'.
WARNING: You are connecting to a non-production device.
Connecting to abc-bb1-net.aol.com. Use ^X to exit.

Fetching credentials from /home/jathan/.tacacsrc

Look closely and you'll see that 'abc-bb1-net.aol.com' is typoed and therefore doesn't resolve:

% host abc-bb1-net.aol.com
Host abc-bb1-net.aol.com not found: 3(NXDOMAIN)

This hostname is misspelled in the NetDevices metadata.

Gong should not mask this problem, and should report it back to the user.

We have a switch which is failing sshd connections. When gong attempts to connect to it, it silently exits with no error message. Gong should either display an error when it receives one, fall back to telnet, or (ideally) do both.

$ ssh foo3-xyz2-sw2 
ssh_exchange_identification: Connection closed by remote host 

$ gong foo3-xyz2-sw2 
Connecting to foo3-xyz2-sw2.net.aol.com. Use ^X to exit. 

Fetching credentials from /home/jathan/.tacacsrc 


$

Need to research what the error condition is for "ssh_exchange_identification: Connection closed by remote host" so that it can be replicated within Trigger and handled accordingly (log, warn, react, etc).

Take this very benign example of a policy-statement:

policy-statement Martians {
    term T1 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /25-/32;
            route-filter 10.0.0.0/8 orlonger;
            route-filter 127.0.0.0/8 orlonger;
            route-filter 128.0.0.0/16 orlonger;
            route-filter 169.254.0.0/16 orlonger;
            route-filter 172.16.0.0/12 orlonger;
            route-filter 191.255.0.0/16 orlonger;
            route-filter 192.0.0.0/24 orlonger;
            route-filter 192.0.2.0/24 orlonger;
            route-filter 192.168.0.0/16 orlonger;
            route-filter 224.0.0.0/4 orlonger;
        }
        then reject;
    }
}

which I would call then in some sort of routing policy, in this case it might be for a bgp peer:

bgp {
    log-updown;
    remove-private;
     group Your Mom {
        type external;
        import [ Martians YM_communities-next_hop ];
        export [ Public-Stuff Match_Any_Deny ];
        peer-as 1234;
        neighbor 1.2.3.4;
    }
}

Trigger should be able to handle me modifying either a section of the policy, either to add a new term, possibly insert a statement into an existing term, or change the behavior of the policy-statement in some way:

policy-statement Martians {
    term T1 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /25-/32;
            route-filter 10.0.0.0/8 orlonger;
            route-filter 127.0.0.0/8 orlonger;
            route-filter 128.0.0.0/16 orlonger;
            route-filter 169.254.0.0/16 orlonger;
            route-filter 172.16.0.0/12 orlonger;
            route-filter 191.255.0.0/16 orlonger;
            route-filter 192.0.0.0/24 orlonger;
            route-filter 192.0.2.0/24 orlonger;
            route-filter 192.168.0.0/16 orlonger;
            route-filter 224.0.0.0/4 orlonger;
        }
        then reject;
     }
    term T2 {
       then log;
   } 

}

Or possibly even add/change another variable of my peer. Lets say I wish to drain this router:

bgp {
    log-updown;
    remove-private;
     group Your Mom {
        type external;
        import [ YM_communities-next_hop ];
        export [ Your_Mom_Drain_Policy ];
        peer-as 1234;
        neighbor 1.2.3.4;
    }
}

Examples could vary. I may roll a new routing policy to a router and add it to an import or export statement. There are also a huge variety of types of policy match conditions and actions that might be useful.

This is related to the SSH auto-detection support that was added in Trigger 1.2. The problem is noticably occuring when a Brocade router is found in the path, but could be with any IOS-like device that is returning more than 25 lines of output causing the device to send a "--more--" prompt and blocks the entire program while it waits for user input (which is not displayed to the end user because it's async).

The workaround is to disabled SSH async execution on Brocade routers within the Trigger configuration.

Like so:

SSH_ASYNC_DISABLED = {
    'arista': ['SWITCH'],  # Known not to work w/ SSH ... yet
    'brocade': ['SWITCH', 'ROUTER'], # Namely the Brocade VDX (I also added ROUTER!)
    'dell': ['SWITCH'],    # Dell SSH is just straight up broken
}

What needs to happen is that the Base SSH channel (trigger.twister.TriggerSSHChannelBase) needs a way to accept an optional NetDevice object as an argument to the constructor. When this is set, it should populate the self.initialize list of commands to the appropriate "disable paging" command for the platform (e.g. terminal length 0 on Cisco). This functionality already exists within trigger.twister.IoslikeSendExpect (telnet) and needs to be implemented for SSH channels.

This will require adding a hook to the Trigger configuration for when alerts are to be sent. Currently it's assumed that an email will be sent, but this will need to be changed to just perform a function call. The default function call will just send email as it does now. This is similiar to the current implementation of get_current_oncall() and create_cm_ticket() from within the Trigger settings.py.

When SSH connect/execute fails with something like this, fallback to telnet:

Connection failed for the following reason:

bad packet mod (35%8 == 3)

BYE

Traceback (most recent call last):
  File "/opt/bcs/bin/acl", line 84, in <module>
    queue = Queue()
  File "/opt/bcs/packages/python-modules-2.0/lib/python/site-packages/trigger/acl/queue.py", line 42, in __init__
    self.dbconn = settings.get_firewall_db_conn()
AttributeError: 'Settings' object has no attribute 'get_firewall_db_conn'

Because of the recent changes to how settings are imported, anything not in ALL_CAPS is not attached to the settings object. Need to fix this so that the database helper can be called.

When I use connect() with init_commands, pty no longer accepts carriage returns to execute commands interactively.

We need to research the commands required to do this.

2012-09-20 12:35:43-0700 [-] No option <Vendor: Juniper> in section: 'init_commands'

Need to make twister pass device.vendor.name to gorc.get_init_commands()

trigger.acl.tools.check_access() looks for both permits and denies and can search for membership within networks or port-ranges, protocols, but does not check modifiers such as fragment-offsets, or other header options. Because term block_snmp_fragments has a fragment-offset 0 modifier in the term, the access was not an exact match and therefore was being skipped.

Note in this output below that it displays term block_snmp_fragments as being part of the access path, but it does not accurately determine it to be dropping the traffic because were weren't asking it to check fragment-offset 0. It reports the following term 10net-TCPUDP-ALLOW as permitting the access with the inline comment "/*check_access: PERMITTED HERE*/".

% ./check_access acl.123 10.180.124.82/32 1.2.3.4/32 udp 161 
term cflow { 
    then { 
    next term; 
    count arbor-cflow; 
    } 
} 
term block_snmp_fragments { 
    /* DIsallow snmp fragments */ 
    from { 
    fragment-offset 0; 
    protocol udp; 
    destination-port 161-162; 
    } 
    then { 
    discard; 
    count T42; 
    } 
} 
term 10net-TCPUDP-ALLOW { 
    /*check_access: PERMITTED HERE*/ 
    from { 
    source-address { 
        10.0.0.0/16; 
        10.2.0.0/16; 
...

The timeouts for brocade need to be looked at because they don't seem to be timing out and just hand on "connecting to....". Finally, need to determine why certain ACLs couldn't complete the load on Brocade devices and fix/throw error.

When you login to a device and don't have the proper permissions, commands return "syntax error:"

% gong test3-abc-sw1.net.aol.com
Connecting to test3-abc-sw1.net.aol.com. Use ^X to exit.

Fetching credentials from /home/j/jathan/.tacacsrc
User's role is unavailable, using default.
Welcome to the Brocade Network Operating System Software
jathan connected from 172.20.21.51 using console on test3-abc-sw1
test3-abc-sw1# show clock
rbridge-id 2: 2012-04-06 19:11:07 Etc/GMT+0
test3-abc-sw1# configure terminal
------------------------------^
syntax error: unknown argument.
test3-abc-sw1#

We need to be able to identify these so that execute_ioslike() can properly catch errors.

When using gong/go to access a device, any banner messages or other alerts that appear before authentication will not be displayed.

e.g., this message gets bypassed from the user's perspective on a Juniper EX4200:

set system login message "IMPORTANT STUFF!" 

While this message (post-auth) displays successfully:

set system login announcement "IMPORTANT STUFF!"

Can we get a toggle, like in .gorc, to display these?

In all libs and tools, replace usage of IPy with netaddr, which is way more robust and Pythonic.

Trigger can definitely parse fragment-offset in Juniper ACLs but it looks like we never actually account for a fragment- offset range.

So it can parse this:

fragment-offset 0;

But not this:

fragment-offset 6-8191;

When parsing an ACL with this it results in the following error:

Cannot parse /data/firewalls/acl.foo: missing semicolon on line 625

Because this is not parsed correctly, it will break all tooling around any filters updated with the match condition. This match condition needs to be either parsed correctly or ignored so tools like check_access will continue to work.

Example term:

    term dns_FRAGMENTATION { 
        from { 
            destination-address { 
                10.20.161.21/32; 
            } 
            fragment-offset 1024-8191; 
        } 
        then { 
            accept; 
            count dns_FRAGMENTATION; 
        } 
    }

check_access alters the action field for any term marked with /trigger: make discard/ to discard. I do not know if this is by design but it actually comes off a little confusing. I spent the last 30 minutes telling someone something was blocked.

Real Term:

    term foo { 
        /*trigger: make discard*/ 
        from { 
            destination-address { 
                10.20.30.0/26; 
                10.20.30.64/26; 
            } 
            protocol [ tcp udp ]; 
        } 
        then { 
            accept; 
            count foo;
        } 
    } 

Check_access displayed term:

term foo { 
    /*trigger: make discard*/ 
    from { 
        destination-address { 
            10.20.30.0/26; 
            10.20.30.64/26; 
        } 
        protocol [ tcp udp ]; 
    } 
    then { 
        discard; 
        count foo;
    } 
}

Such as this:

access-list 2018 permit tcp 172.28.22.0 0.0.0.255 host 172.1.2.3 range 21 20

The dst-ports get parsed into:

<RangeList: [(21, 20)]>

Which should be normalized (sorted) upon creating a RangeList object and result in:

<RangeList: [(20, 21)]>

Some strings which gong is able to match on when run normally fail when preferring oob with the "-o" flag.

$ gong test18-xy6
Matched 'test18-xy6-sw0.net.aol.com'.
Connecting to test-xy6-sw0.net.aol.com. Use ^X to exit.

Fetching credentials from /home/jathan/.tacacsrc
User login successful.

telnet@test-xy6-sw0#

$ gong -o test18-xy6
Traceback (most recent call last):
File "/opt/bcs/bin/gong", line 144, in
main()
File "/opt/bcs/bin/gong", line 83, in main
connect_to_oob(args[1].lower())
File "/opt/bcs/bin/gong", line 55, in connect_to_oob
f = dev.find(device)
File "/opt/bcs/packages/python-modules-2.0/lib/python/site-packages/trigger/netdevices.py", line 431, in find
raise KeyError(key)
KeyError: 'test18-xy6'

$ gong -o test18-xy6-sw0
OOB Information for test18-xy6-sw0.net.aol.com
telnet ts-xy6.oob.aol.com 5003
Connecting you now...
Trying 10.302.206.509...
Connected to ts-xy6.oob.aol.com (10.302.206.509).
Escape character is '^]'.

test18-xy6-sw0>

Change it so it reads from settings.TFTPROOT_DIR instead!

RTFD doc builds are failing because when installed via pip + virtualenv the settings.py file is not found in the default location (/etc/trigger/settings.py).

We need a way to specify an alternate location via an environment variable that is read by simian.conf so that this can be set for RTFD within conf.py when it goes to build the docs.

http://readthedocs.org/docs/read-the-docs/en/latest/faq.html#how-do-i-change-behavior-for-read-the-docs

Currently trigger.cmds.Commando relies on a static mapping of vendor names to parse/generate/execute methods. This does not scale well and in the case of vendors with multiple device types with different behavior, it becomes very unwieldy. Here are some examples:

• Brocade VDX router vs. Brocade VDX switch run different firmware versions
• Vendor Juniper has routers/switches/firewalls running Junos, but also NetScreen firewalls running ScreenOS

We should ake the callbacks use dynamic attribute lookups or just do the logic within generic parse/generate methods. See TastyPie's custom serializers on a good pattern for that (ref: http://bit.ly/Mzawdv)

When syntax-checking a policy with a port range of 0-65535, the parser turns this:

access-list 123 permit tcp host 1. host 10.62.138.209 range 0 65535

Into this:

access-list 123 permit tcp host 1.2.3.4 host 10.20.30.40 lt 65536

"lt 65536" is not valid. Both Cisco and Foundry devices do not like it. We should change the parser to just keep "range 0 65535" OR just omit the ports altogether.

When executing "copy running-config startup-config" on a Brocade VDX switch, it prompts with:

This operation will modify your startup configuration. Do you want to continue? [y/n]:

2012-04-04 11:18:02-0700 [TriggerTelnet,client] Sending command: 'copy running-config startup-config'
2012-04-04 11:18:02-0700 [TriggerTelnet,client] dataReceived, got bytes: 'copy running-config startup-config\n'
2012-04-04 11:18:02-0700 [TriggerTelnet,client] dataReceived, got data: 'copy running-config startup-config\n'
2012-04-04 11:18:02-0700 [TriggerTelnet,client] dataReceived, got bytes: 'This operation will modify your startup configuration. Do you want to continue? [y/n]:'
2012-04-04 11:18:02-0700 [TriggerTelnet,client] dataReceived, got data: 'copy running-config startup-config\nThis operation will modify your startup configuration. Do you want to continue? [y/n]:'

And it just hangs there (IoslikeSendExpect.dataReceived keeps returning None)

Need a way to catch confirmation prompts and do something with them.

load_acl crashes when MySQL is unreachable. Let's make it exit gracefully.

Exception 1:

Traceback (most recent call last): 
 File "/usr/local/bin/load_acl", line 58, in <module> 
   queue = Queue(verbose=False) 
 File "/usr/local/packages/python-modules-2.0/lib/python/site-packages/trigger/acl/queue.py", line 42, in __init__ 
   self.dbconn = settings.get_firewall_db_conn() 
 File "/etc/trigger_settings.py", line 183, in get_firewall_db_conn 
   port=DATABASE_PORT, user=DATABASE_USER, passwd=DATABASE_PASSWORD) 
 File "/usr/local/packages/python-modules-2.0/lib/python/site-packages/MySQLdb/__init__.py", line 81, in Connect 
   return Connection(*args, **kwargs) 
 File "/usr/local/packages/python-modules-2.0/lib/python/site-packages/MySQLdb/connections.py", line 188, in __init__ 
   super(Connection, self).__init__(*args, **kwargs2) 
_mysql_exceptions.OperationalError: (2003, "Can't connect to MySQL server on '127.0.0.1' (111)") 

Exception 2:

Traceback (most recent call last): 
 File "/usr/local/bin/load_acl", line 58, in <module> 
   queue = Queue(verbose=False) 
 File "/usr/local/packages/python-modules-2.0/lib/python/site-packages/trigger/acl/queue.py", line 42, in __init__ 
   self.dbconn = settings.get_firewall_db_conn() 
 File "/etc/trigger_settings.py", line 179, in get_firewall_db_conn 
   port=DATABASE_PORT, user=DATABASE_USER, passwd=DATABASE_PASSWORD) 
 File "/usr/local/packages/python-modules-2.0/lib/python/site-packages/MySQLdb/__init__.py", line 81, in Connect 
   return Connection(*args, **kwargs) 
 File "/usr/local/packages/python-modules-2.0/lib/python/site-packages/MySQLdb/connections.py", line 188, in __init__ 
   super(Connection, self).__init__(*args, **kwargs2) 
_mysql_exceptions.OperationalError: (2013, "Lost connection to MySQL server at 'reading initial communication packet', system error: 104")

% ./load_acl --bouncy -Q testops_blockmj 
Traceback (most recent call last): 
  File "./load_acl", line 39, in <module> 
    from simian.acl import parse as acl_parse 
  File "/home/j/jathan/sandbox/simian/acl/__init__.py", line 22, in <module> 
    from simian.acl.parser import * 
  File "/home/j/jathan/sandbox/simian/acl/parser.py", line 1600, in <module> 
    lambda (net, length): IP('%s/%d' % (net, length))), 
  File "/home/j/jathan/sandbox/simian/acl/parser.py", line 1441, in S 
    subtagged.add(prod) 
TypeError: can only compare to a set 

This has something to do with the comparison of an IP object. This also might be worth dropping in lieu of replacing IPy w/ netaddr, especially since this should go hand-in-hand w/ the IPv6 work since it's the same machinery.

Since upgrade to Trigger 1.2.1, "go" mangles transient command output such as "monitor interface" when connected to a Juniper router via ssh. Examples will be included below.

When passing "any" to check_access it is converted to an empty list ([]) that is equivalent to Cisco's "any" or Juniper's null "source-address" block, which equates to "any source" when performing an access test.

Source addresses passed along such as "0.0.0.0" or "0.0.0./0" need to also be properly normalized to "any" (or []) in this context). This should be something that is standard throughout the Trigger ACL libraries.

Traceback (most recent call last):
  File "/usr/local/bin/acl_script", line 530, in <module>
    opts.protocol)
  File "/usr/local/bin/acl_script", line 305, in create_trigger_term
    term = Term()
NameError: global name 'Term' is not defined

acl_script defines its own copy of create_trigger_term() and should just instead import it from trigger.acl.tools

These two tools have almost identical functionality. check_access could be considered to be a "loose" version to and find_access is "strict". One tool should do both.

Self-explanatory.

Add support for A10 Networks AX3000 platform

• interactive (pty) sessions
• factory method (execute_)
• Commando support
• Error messages/timeouts
• Prompt matching/state machine for remote execution (telnet/ssh)

The ...fetching credentials..." print statement is showing up in the "redraw" portion of load_acl. This should either be a status message or not printed to the screen.

There is a Juniper bug affecting Juniper EX4200 devices, causing VLAN mappings to drop which can result in outages. The work around from Juniper is to issue a "commit full" instead of just a commit.

The load_acl utility performs a "commit" using JunoScript. We need a way to optionally perform "commit full" on Juniper EX4200 devices (aka switches).

Self-explanatory.

gong appears to be generating .tacacsrc files with -rw-r--r-- permissions (or perhaps depending on the user's umask settings) instead of a more protected state.

One of my team mates just pointed out to me that when he does ^X on a Juniper device (to clear the command line of all characters), it disconnects the session. This is expected behavior in gong, but as far as I know it leave the user with no way to pass a ^X to the remote device.

Juniper ``^ commands are listed here: http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/nog-baseline/junos-cli-keyboard-shortcuts.html

In this case, ^U does the same thing as ^X, so that's a workaround, but there could be other uses for ^X out there in the wild. Also, it's nice not to force users to relearn their favorite tricks.

Could we make the disconnect character user-configurable (or even able to be disabled) in the .gorc file? Currently the .gorc file just sets auto commands to be done when you log in, but it's totally the right place for an override like this.