Management

 View Only
last person joined: 15 days ago 

Ask questions and share experiences with Junos Space and network management.
Expand all | Collapse all

What is the recommended way of adding a device root password to Junos Space be used in SLAX / OP script?

  • 1.  What is the recommended way of adding a device root password to Junos Space be used in SLAX / OP script?

    This message was posted by a user wishing to remain anonymous
    Posted 28 days ago
    This message was posted by a user wishing to remain anonymous

    Hi, I am creating a SLAX script to clean up storage space on EX switches to be able to run Junos Upgrades. Some shell commands, like

    pkg setop rm previous

    need root permissions.

    I found a workaround to pass the root password to "su" to run a sh script as root:

    set $shellCmd = {
      <request-shell-execute> {
        <command> 'sh -c "(sleep 1;echo ' _ $secret _ ')|script -q /dev/null su root -c ' _ "'sh /tmp/tmp.sh'" _ '"';
      }
    }
    set $shellCmdResult = jcs:execute($connection, $shellCmd);

    For clarification, what is run on the shell, without all the concatenation and nesting of the quotes:

    sh -c "(sleep 1;echo $secret )|script -q /dev/null su root -c 'sh <some-sh-script>'"

    What is the best way of retrieving and/or storing the root password in Junos Space? I currently use

    var $arguments = {
        <argument> {
            <name> "secret";
            <description> "root password";
        }
    }

    in the boiler plate of the SLAX script, but my fear is that this is error prone (users will forget to fill out the corresponding field) and I am also afraid of arguments to scripts being logged somewhere in clear text.



  • 2.  RE: What is the recommended way of adding a device root password to Junos Space be used in SLAX / OP script?

     
    Posted 28 days ago

    It has been a very very long time since I last did something with credentials on Junos Space.  But if I recall correctly, there was an attribute that could be used to pass the device credentials present in Junos Space to a SLAX script.

    The annotation was @PASSDEVICECREDENTIALS = "true"

    Reference: Script Annotations

    This would return the credentials that Junos Space was managing the device with in a data structure that could then be manipulated to obtain the credentials.

    I used to use the following approach in SLAX, but this was a long long time ago, and I honestly have no idea if this approach would work in recent versions of Junos Space, since I wrote this about 10 years ago or so.

    version 1.1;
    ns junos = "http://xml.juniper.net/junos/*/junos";
    ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
    ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
    ns str = "http://exslt.org/strings";
    ns func extension 	= "http://exslt.org/functions";
    ns jspace = "http://jspace-utils/asharp@juniper.net";
    
    import "../import/junos.xsl";
    
    /* @CONTEXT = "/device" */
    /* @NAME = "Example script" */
    /* @DESCRIPTION = "Example script" */
    /* @EXECUTIONTYPE = "GROUPEDEXECUTION" */
    /* @ISLOCAL = "true" */
    /* @PASSDEVICECREDENTIALS = "true" */
    
    match / {
    	<op-script-results> {
    		<output> {
    			var $devices = jspace:credentials();
    			for-each ($devices/device) {
    				expr "Device: " _ host _ " : user : " _ user _ " : passwd : " _ passwd _ "\n"; 
    			}
    		}
    	}
    }
    <func:function name="jspace:credentials"> {
    	if( $CONTEXT ) {
    		var $splitCredentials = str:split( $credentials, "\\;" );
    		var $targets := {
    			for-each ( $splitCredentials ) {
    				var $splitCredential = str:split( ., "\\:" );
    				var $user-target = str:split($splitCredential[1], "\@");
    				var $host = substring-before( substring-after( $deviceipmap, substring-after( $splitCredential[1], "@" ) _ "\":\"" ), "\"" );
    				<device> {
    					<target> {
    						expr $user-target[2];
    					}
    					<user> {
    						expr $user-target[1];
    					}
    					<passwd> {
    						expr $splitCredential[2];
    					}
    					<host> {
    						expr $host;
    					}
    				}
    			}
    		}
    		<func:result select="$targets">;
    	}
    	else {
    		<func:result select="false()">;
    	}
    }

    This might be of some use to you.

    Regards,



    ------------------------------
    Andy Sharp
    ------------------------------