Oxidized - tool for network devices config backup: Dmitriy Vassilyev

Oxidized - tool for network devices config backup

31st March 2022 at 5:56pm

Found this nice little snippet in the Internet. Every time I started a new job, one thing I had to do is to backup network equipment configurations. You never know when this particular piece of equipment would fail (like Dell S4048 with Intel Atom bug) and how would it affect current activities - in perfect world everything is redundant and fault-tolerant, yet sometimes it's not so. And according to Murphy's law if something breaks, it breaks when it can do the most harm. So when something breaks you need to restore it as quickly as possible. And configuring a switch or a router "from scratch" is not something you want to do in a "hurry" mode. Oxidized helps for such cases, you can simply restore running-config from backup you made earlier. Installation is pretty simple and described well enough. For output use "git" backend, even if you point it to a local folder it will keep config versions. You should use gpg, since CSV file would contain logins/passwords in clear text and you want it to be encrypted. I just encrypted router.db with "gpg -c", had

source: file: "router.db.gpg" gpg: true gpg_password: S3cr3t in config during start-up, then removed password from config. This way no files with cleartext passwords are available. Use special read-only users for this, like here. Definitely use web-interface, enable SSL for it and also you could tie it to AD (example for Apache 2):

<Location /oxidized> AuthType Basic AuthName "Enter LDAP credentials" AuthBasicProvider ldap AuthLDAPGroupAttribute member AuthLDAPSubGroupClass group AuthLDAPGroupAttributeIsDN On AuthLDAPURL "ldap://dc-host/OU=company,DC=contoso,DC=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=user,OU=Service Accounts,OU=company,DC=contoso,DC=com" AuthLDAPBindPassword "password" Require ldap-group CN=IT,OU=Groups and Distribution Lists,OU=company,DC=contoso,DC=com ProxyPass http://127.0.0.1:8888/oxidized ProxyPassReverse http://127.0.0.1:8888/oxidized </Location> This way you'll be able to do search within configs (very useful, say, if you need to find a particular WWPN, yes, oxidized supports FC-switches as well) and also see diffs between versions (also incredibly useful feature: once you did something in GUI, you want to see changes appeared in config). If you look deeper into it, here's nice starting point for advanced config and here you can find model examples and later if needed add your own (it's pretty simple).