Page 1 of 1

manage config with subversion

Posted: Fri Jul 16, 2021 4:50 pm
by bee
Hi,

I just aqucired a hex s and play around with the config as long as it is not yet in production.

My first impulse is to manage the configuraiton with subversion. I though I could do
/export file=somewhere/all.rsc

then store that file in subversion.
After some fiddling around, I do antoer export, validate the diffs with subversion and have a new version of my config. When I encounter errors, I go back to last working config in subversion, push that file to the router and with
/import file=somewhere/all.rsc
would restore that config.
Unfortenately, due to "add ..." , this procedure would not overwrite the current config, but add everything twice (thus failing). I have also seen the /system backup save&load which works fine, but it seems to be binary.
of course I could do the backup always twice, once to have a readable script and at the same time a binary backup for restore.

Any suggestions?
Thanks!

Re: manage config with subversion

Posted: Fri Jul 16, 2021 5:24 pm
by anav
It is not clear what your problem is??

Re: manage config with subversion

Posted: Fri Jul 16, 2021 5:31 pm
by andriys
I've been doing exactly that (tracking configuration history by storing configuration exports in svn) for several years now, and it is working great for me. I would only encourage you to use /export terse - the output will be slightly less human-friendly, but much more diff-friendly, which I find to be important.

It is true that restoring configuration from the export is not a straight-forward process, but you are not going to do that often. Or are you? And since you have the history, rolling specific changes back is easy.

Backups are binary, indeed. Additionally they also only meant to be restored on exactly the same box running exactly the same version of software.

Re: manage config with subversion

Posted: Sat Jul 17, 2021 12:40 am
by bee
Dear andriys, thanks for your support. Do you have any hints on the "restoring configuration from export" ? No sure, I hope I don't want to do that often, but right now it fails from the first line. Error is "pool is already existing" ... since it tries to add the ip pool for dhcp again.

Re: manage config with subversion

Posted: Sat Jul 17, 2021 3:07 am
by tangent
I though I could do
/export file=somewhere/all.rsc

You seem like the sort who'll appreciate this, then:

#!/bin/bash
host=my-router
cd /path/to/svn/checkout/directory
ssh $host export > $host-export.rsc &&
         ssh $host '/system backup save' &&
         fn=$(ssh $host '/file print detail without-paging' |
              grep 'name="flash/.* type="backup"' |
              tail -1 | 
              cut -f2 -d\") &&
         scp $host:$fn $host-binary.backup &&
         svn ci -m "Backup of $host on $(date "+%F @ $T")"

Now you've got the backup in two forms, done automatically without logging into the switch interactively, so you can script the download-and-commit as a periodic action or whatever. (Assuming you've set up SSH host keys, which of course you have.)

There may be more you need beside this:

  • You may have generated a host-specific SSH key pair on your workstation for secure login rather than reuse your workstation's default SSH key. If so, make sure both halves are backed up: you can't get the public half back out of the router once it's uploaded short of a binary backup & restoration.
  • If you ran "/ip ssh set strong-crypto=yes" (as I recommend) and then ran the subsequently-necessary "/ip ssh regenerate-host-keys", you need to export those SSH host keys via "/ip ssh export-host-key". Otherwise, you'll have to regenerate the host keys after each RSC (non-binary) restoration, causing your SSH clients to gripe about changed host keys and how that oooobviously means someone's trying to hack your connection. 😉
  • X.509 certificates generated by the router are only included in binary backups. Rather than let this push you to use binary backup and restore, I recommend downloading them after generating them, saving them alongside the other backup data for that router. You do that via:

    /certificate export-certificate export-passphrase=PASS file-name=my-router MyRouterTLS
    

    It's critical to give a passphrase, since without it, RouterOS will give you the public half of the key only. That's fine for some purposes, but for router restoration from backup, you need both halves. Store the passphrase somewhere secure, such as in a password manager, since it's what protects the private key from getting loose now that you've extracted it from the router.

due to "add ..." , this procedure would not overwrite the current config

Either look into "/system reset-configuration run-after-reset" or do a full reset and then load things in manually, per the steps below.

The choice between these comes down to this simple fact: the export file (*.rsc) may not contain everything you need to restore the router to its prior configuration, in which case the run-after-reset option can fail because the export file refers to configuration items that don't exist yet.

Worse, the binary backup file won't even always restore to the same router. I saw this while trying to mess with 7.1beta6.

Rather than try to automate my way out of this mess, I just wrote the manual restoration steps into a document I keep for the router so I can follow them the same way each time I need to restore:

  1. I usually need to restore because the router isn't working at all, since otherwise I could fix it in place without a restore. If this is because the router's lost its entire mind — it can happen! — then go to the next step. Otherwise, do a full reset so you're starting from a clean slate.
  2. Connect to the router via its MAC address using either WinBox or MAC-Telnet.
  3. Create a “full” capability login user with the credentials you've previously saved. (I ditch the "admin" user as soon as I'm able to.) I keep my login credentials in a password manager. If you have a router-specific SSH key, upload it to Files and import it for that user. Also load the saved SSH host keys and import them with "/ip ssh import-host-key". Try SSHing in now.
  4. Upload the certificates you backed up with the command above. Run "/cert import" to bring the keys in, unlocking them with the PEM passphrase used and saved above. Attach them to the necessary services: TLS certs on the www-ssl and api-ssl services, IPsec certs on the IPsec tunnels, etc.
  5. Since we aren't using the "run-after-reset" feature, it's now time to upload the *.rsc file for the router's filesystem root. At the Terminal prompt, say "/import" to run it. No arguments needed: it finds the file by extension and runs it.
  6. Reboot to be sure it all works as it did at the time of the last backup.
  7. If your login user with "full" capabilities is not "admin", you can delete the admin user now.

Re: manage config with subversion

Posted: Sat Jul 17, 2021 3:29 am
by anav
Yeah, thats Beginner Basics for sure! ;-PP

Re: manage config with subversion

Posted: Sat Jul 17, 2021 4:11 am
by tangent
Yeah, thats Beginner Basics for sure! ;-PP

Well, I'm a beginner, of a sort.

Re: manage config with subversion

Posted: Sat Jul 17, 2021 12:20 pm
by andriys
Do you have any hints on the "restoring configuration from export" ?
I do that rather rarely, mostly while changing/upgrading gears. What works best for me is /system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes, then connect using MAC-WinBox or MAC-telnet and apply (copy-and-paste) the configuration manually line by line, adopting to new hardware where appropriate.

Re: manage config with subversion

Posted: Sat Jul 17, 2021 1:17 pm
by rextended
@bee
use this post as example
viewtopic.php?f=1&t=175360&p=858564#p858564