Blog Viewer

Scripting How-To: Prevent typical human configuration errors

By Erdem posted 08-14-2015 15:10

  

Prevent Typical Human Configuration Errors

 

For SLAX version 1.0 and higher, you can use the protect-config script to check various parts of the configuration against typical human errors, such as loopback interface with family inet is present, forwarding-options section is not deleted, snmp 0/0 is not configured, and so on.

 

Source Code and GitHub Links

 

The source code below is also available from the following GitHub locations:
 

SLAX Script Contents

 
view sourceprint?001 version 1.0; 

002 ns junos = "http://xml.juniper.net/junos/*/junos"; 

003 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; 

004 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; 

005 import "../import/junos.xsl"; 

006 match configuration { 

007 /* 

008   

009 version: 1.1 

010 date: 8 August 2014 

011 */ 

012   

013     /* 

014     - Make sure [edit chassis] is not totally deleted... 

015     - 

016      */ 

017     call error-if-missing($must = chassis, $statement = "chassis") { 

018         with $message = { 

019             expr "Chassis configuration cannot be empty !!!"; 

020          } 

021     } 

022     /* 

023     - We are making sure that the loopback interface configuration is present 

024     - and it has family inet configured. 

025     - The commit will fail if this is the case. 

026     - 

027     - Uncomment the line with 'v6-enable' if you have/want to cover IPv6 too. 

028      */ 

029     call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name =="0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address"); 

030   

031 /* v6-enable BEGIN 

032     call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name =="0"]/family/inet6/address, $statement = "interfaces lo0 unit 0 family inet6 address"); 

033 /* v6-enable END 

034       

035     /* 

036     - Now we check the present loopback interface configuration and make sure it's not disabled. 

037     - The commit will fail if this is the case. 

038      */ 

039     call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable) { 

040         with $message = { 

041             expr "The Loopback interface is disabled."; 

042          } 

043     } 

044     /* 

045     - Make sure snmp 0/0 is not configured. It would mess up with some apply-path implementations on the loopback filter ! 

046     - The commit will fail if this is the case. 

047      */ 

048     call error-if-present($must = snmp/community[name == *]/clients[name == "0.0.0.0/0"]) { 

049         with $message = { 

050             expr "0.0.0.0/0 restrict is not recommended along with apply-path"; 

051             expr " because it would compromise the firewall filter !!! "; 

052          } 

053     } 

054     /* 

055     - Making sure the whole forwarding-options section is not deleted/deactivated. 

056     - The commit will fail if this is the case. 

057      */ 

058     call error-if-missing($must = forwarding-options, $statement = "[edit forwarding-options]") { 

059         with $message = { 

060             expr "The [edit forwarding-options] is missing !!! "; 

061          } 

062     } 

063     /* 

064     /* 

065     - Making sure the whole routing-options section is not deleted/deactivated. 

066     - The commit will fail if this is the case. 

067      */ 

068     call error-if-missing($must = routing-options, $statement = "[edit routing-options]") { 

069         with $message = { 

070             expr "The [edit routing-options] is missing !!! "; 

071          } 

072     } 

073     /*              

074     - Making sure the whole protocols/bgp section is not deleted/deactivated. 

075     - The commit will fail if this is the case. 

076      */ 

077     call error-if-missing($must = protocols/bgp, $statement = "protocols bgp") { 

078         with $message = { 

079             expr "The protocols/bgp is missing !!! "; 

080          } 

081     } 

082     /* 

083     - Check that the protocol is not disabled... 

084      */ 

085     call error-if-present($must = protocols/bgp/disable) { 

086         with $message = { 

087             expr "The BGP protocol is disabled, failing commit.."; 

088          } 

089     } 

090     /* 

091     - Making sure the whole protocols/ospf section is not deleted/deactivated. 

092     - The commit will fail if this is the case. 

093      */ 

094     call error-if-missing($must = protocols/ospf, $statement = "protocols ospf") { 

095         with $message = { 

096             expr "The OSPF protocol is missing, failing commit.."; 

097          } 

098     } 

099     /* 

100     - Check that the protocol is not disabled... 

101      */ 

102     call error-if-present($must = protocols/ospf/disable) { 

103         with $message = { 

104             expr "The OSPF protocol is disabled, failing commit.."; 

105          } 

106     } 

107    

108     /* 

109     - Making sure the whole class-of-service section is not deleted/deactivated. 

110     - The commit will fail if this is the case. 

111      */ 

112    

113     call error-if-missing($must = class-of-service, $statement = "[edit class-of-service]") { 

114         with $message = { 

115             expr "The whole class-of-service section is missing, failing commit.."; 

116          } 

117     } 

118     /* 

119     - Check that the Cos is not disabled... 

120      */ 

121     call error-if-present($must = class-of-service/disable) { 

122         with $message = { 

123             expr "The whole class-of-service is disabled, failing commit.."; 

124          } 

125     } 

126     /* 

127     - Making sure the whole protocols/pim section is not deleted/deactivated. 

128     - The commit will fail if this is the case. 

129      */ 

130     call error-if-missing($must = protocols/pim, $statement = "protocols pim") { 

131         with $message = { 

132             expr "The pim protocol is missing, failing commit.."; 

133          } 

134     } 

135     /* 

136     - Check that the protocol is not disabled... 

137      */ 

138     call error-if-present($must = protocols/pim/disable) { 

139         with $message = { 

140             expr "The pim protocol is disabled, failing commit.."; 

141          } 

142     } 

143     /* 

144     - Making sure the whole protocols/mpls section is not deleted/deactivated. 

145     - The commit will fail if this is the case. 

146      */ 

147     call error-if-missing($must = protocols/mpls, $statement = "protocols mpls") { 

148         with $message = { 

149             expr "The mpls protocol is missing, failing commit.."; 

150          } 

151     } 

152     /* 

153     - Check that the protocol is not disabled... 

154      */ 

155     call error-if-present($must = protocols/mpls/disable) { 

156         with $message = { 

157             expr "The MPLS protocol is disabled, failing commit.."; 

158          } 

159     } 

160     /* 

161     - Making sure the whole protocols/ldp section is not deleted/deactivated. 

162     - The commit will fail if this is the case. 

163      */ 

164     call error-if-missing($must = protocols/ldp, $statement = "protocols ldp") { 

165         with $message = { 

166             expr "The LDP protocol is missing, failing commit.."; 

167          } 

168     } 

169     /* 

170     - Check that the protocol is not disabled... 

171      */ 

172     call error-if-present($must = protocols/ldp/disable) { 

173         with $message = { 

174             expr "The LDP protocol is disabled, failing commit.."; 

175          } 

176     } 

177 } 

178 /* 

179     - Make sure snmp 0/0 is not configured. It would mess up with auto-filter !QQ 

180     - The commit will fail if this is the case. 

181      */ 

182 /* 

183 - This is where we can generate custom error/warning messages 

184 - by modifying the default templates. 

185  */ 

186 template warn-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") { 

187    

188     if (not($must)) { 

189         <xnm:warning> { 

190             <edit-path> { 

191                 copy-of $statement; 

192             } 

193             <message> { 

194                 copy-of $message; 

195             } 

196         } 

197     } 

198 } 

199 /*                  

200 - 

201 - 

202 - 

203  */ 

204 template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") { 

205    

206     if (not($must)) { 

207         <xnm:error> { 

208             <edit-path> { 

209                 copy-of $statement; 

210             } 

211             <message> { 

212                 copy-of $message; 

213             } 

214         } 

215     } 

216 } 

217 /* 

218 - 

219 - 

220 - 

221  */ 

222 template error-if-present ($must = 1, $message = "invalid configuration statement") { 

223     /* give error if param missing */ 

224    

225     for-each ($must) { 

226         <xnm:error> { 

227             call jcs:edit-path(); 

228             call jcs:statement(); 

229             <message> { 

230                 copy-of $message; 

231             } 

232         } 

233     } 

234 } 

 


#errors
#ScriptingHow-To
#commitscript
#How-To
#Slax

Permalink