My first approach to .py in EXOS - restore config without admin password

Tomasz
Userlevel 6
Badge

Hello,

 

I was encouraged today to make a script that would help with EXOS switches when admin password is lost (especially those with Python support but without one-time password login option, few versions in G1 release train). It was fun indeed and I’m looking for more.

There might be a problem when the admin password is forgotten and there is no failsafe account; moreover, in some older firmware versions (that yet support Python) there is no option for one-time password generated by GTAC. Rebooting the switch and loading factory defaults from bootrom is ok but it gives not only few minutes of downtime, we have to apply the config again. So I’ve made some silly play to even start with Python here and created a script which is responsible for creating default.xsf from the running configuration - all but the custom admin password.

cmdout_lines = exsh.clicmd("show conf",True).splitlines()

exsh.clicmd("rm default.xsf")
target = open("/usr/local/cfg/default.xsf", "w+")


for line in cmdout_lines:
        if not "configure account admin encrypted" in line:
                target.write(line+"\n")

target.close()

The result is, when a switch is unconfigured, everything is back there immediately but the admin password is blank again. Outage duration is minimized to a reboot time and no manual intervention is needed after.

My next step will be turning this into a process that could redo default.xsf with some intervals.

I’m issuing ‘rm default.xsf’ each time to just omit checking if the file exists.

If this could help anyone, I’m glad it did. If you have any comments how this could be improved (from functional perspective or from programming perspective - I’m not a software dev at all), I’d really appreciate them.

Perhaps it would be more elegant to create some API-based trigger to default the admin password remotely or set it to some another default-like string, but I don’t know if that is possible.

 

Kind regards,

Tomasz

4 replies

Stefan K.
Userlevel 5
Badge

Hi Tomasz,

first of all: thanks for sharing this!

I think I’m somehow lost… How exactly would I execute this scirpt (remotely) when I have no CLI Access to the switch?

Will this break stacks?

Best regards
Stefan

Tomasz
Userlevel 6
Badge

Hi Stefan,

 

The script is just about automated preparation of your switch for a potential forgotten admin password issue in the future. So you should definitely use it when you have CLI access to the switch. The idea is to deploy such script as a one-shot or on a regular basis (when it’s turned into a process or with UPM timers - I don’t consider a scenario with XMC and scheduled tasks as with XMC one could always look up XMC credentials and use them for admin access, although still not quite able to reconfigure admin password, only remove and redo ‘admin’ is XMC uses different r/w user).

Default.xsf is then supposedly always up-to-date for shorter outage when the real password recovery step is taken, ie. switch reboot, bootrom access through console and ‘config none’ issued to load factory defaults instead any config. Default.xsf kicks in right after and you have all pre-reboot config but no admin password.

Good question with stack breaking, tbh I’m not sure if ‘config none’ in bootrom is an equivalent of ‘unconfigure switch’ or ‘unconfigure switch all’, I never tried that method on a stack…

 

Cheers,

Tomasz

Stefan K.
Userlevel 5
Badge

The script is just about automated preparation of your switch for a potential forgotten admin password issue in the future. [...]

Aah, now that makes sense! hehe :D

Good question with stack breaking, tbh I’m not sure if ‘config none’ in bootrom is an equivalent of ‘unconfigure switch’ or ‘unconfigure switch all’, I never tried that method on a stack…

Yeah, that was also my thinking. I thought that you maybe know this. I would assume that it is “unconfigure switch all”…

 

Thank you! :relaxed:

Stefan

Tomasz
Userlevel 6
Badge

Made it a bit different now. The code:

from exos import api
import time

api.exec_cli(["create log message \"Starting smartbak\""])

while(True):
        api.exec_cli(["create log message \"Running smartbak loop iteration\""])
        cmdout_lines = api.exec_cli(["show conf"]).splitlines()
        api.exec_cli(["rm default.xsf"])
        target = open("/usr/local/cfg/default.xsf", "w+")
        for line in cmdout_lines:
                if not "configure account admin encrypted" in line:
                        target.write(line+"\n")
        target.close()
        time.sleep(3600)

Such .py can be executed with ‘create process -name- python-module -filename.py- start auto’.

It saves the running config to default.xsf without admin password every hour. Gotta make it more ‘pro’ with logging and introduce interval as an argument appended to the command above.

 

Cheers,

Tomasz

Reply