Automation
Automation

Scripting How-To: Prevent typical human error

by Cordelia on ‎11-19-2015 11:49 AM - edited on ‎09-19-2017 08:02 AM by Administrator Administrator (1,363 Views)
This applies to SLAX version 1.0 and higher.
 

Overview

 

Basic commit script to prevent typical human errors.

 

Description

 

Check various parts of the configuration against typical human errors, such as loopback interface with family inet is present, forwarding-options section is not deleted, snmp 0/0 is not configured, etc.

 

Source Code

 

GitHub Links

 

The source code below is also available from GitHub at the following locations:

 

 

SLAX Script Contents

 

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
/*

version: 1.1
date: 8 August 2014
*/

    /*
    - Make sure [edit chassis] is not totally deleted...
    -
     */
    call error-if-missing($must = chassis, $statement = "chassis") {
        with $message = {
            expr "Chassis configuration cannot be empty !!!";
         }
    }
    /*
    - We are making sure that the loopback interface configuration is present
    - and it has family inet configured.
    - The commit will fail if this is the case.
    - 
    - Uncomment the line with 'v6-enable' if you have/want to cover IPv6 too.
     */
    call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address");

/* v6-enable BEGIN
    call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet6/address, $statement = "interfaces lo0 unit 0 family inet6 address");
/* v6-enable END
	
    /*
    - Now we check the present loopback interface configuration and make sure it's not disabled.
    - The commit will fail if this is the case.
     */
    call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable) {
        with $message = {
            expr "The Loopback interface is disabled.";
         }
    }
    /*
    - Make sure snmp 0/0 is not configured. It would mess up with some apply-path implementations on the loopback filter !
    - The commit will fail if this is the case.
     */
    call error-if-present($must = snmp/community[name == *]/clients[name == "0.0.0.0/0"]) {
        with $message = {
            expr "0.0.0.0/0 restrict is not recommended along with apply-path";
            expr " because it would compromise the firewall filter !!! ";
         }
    }
    /*
    - Making sure the whole forwarding-options section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = forwarding-options, $statement = "[edit forwarding-options]") {
        with $message = {
            expr "The [edit forwarding-options] is missing !!! ";
         }
    }
    /*
    /*
    - Making sure the whole routing-options section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = routing-options, $statement = "[edit routing-options]") {
        with $message = {
            expr "The [edit routing-options] is missing !!! ";
         }
    }
    /*              
    - Making sure the whole protocols/bgp section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = protocols/bgp, $statement = "protocols bgp") {
        with $message = {
            expr "The protocols/bgp is missing !!! ";
         }
    }
    /*
    - Check that the protocol is not disabled...
     */
    call error-if-present($must = protocols/bgp/disable) {
        with $message = {
            expr "The BGP protocol is disabled, failing commit..";
         }
    }
    /*
    - Making sure the whole protocols/ospf section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = protocols/ospf, $statement = "protocols ospf") {
        with $message = {
            expr "The OSPF protocol is missing, failing commit..";
         }
    }
    /*
    - Check that the protocol is not disabled...
     */
    call error-if-present($must = protocols/ospf/disable) {
        with $message = {
            expr "The OSPF protocol is disabled, failing commit..";
         }
    }
 
    /*
    - Making sure the whole class-of-service section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
 
    call error-if-missing($must = class-of-service, $statement = "[edit class-of-service]") {
        with $message = {
            expr "The whole class-of-service section is missing, failing commit..";
         }
    }
    /*
    - Check that the Cos is not disabled...
     */
    call error-if-present($must = class-of-service/disable) {
        with $message = {
            expr "The whole class-of-service is disabled, failing commit..";
         }
    }
    /*
    - Making sure the whole protocols/pim section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = protocols/pim, $statement = "protocols pim") {
        with $message = {
            expr "The pim protocol is missing, failing commit..";
         }
    }
    /*
    - Check that the protocol is not disabled...
     */
    call error-if-present($must = protocols/pim/disable) {
        with $message = {
            expr "The pim protocol is disabled, failing commit..";
         }
    }
    /*
    - Making sure the whole protocols/mpls section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = protocols/mpls, $statement = "protocols mpls") {
        with $message = {
            expr "The mpls protocol is missing, failing commit..";
         }
    }
    /*
    - Check that the protocol is not disabled...
     */
    call error-if-present($must = protocols/mpls/disable) {
        with $message = {
            expr "The MPLS protocol is disabled, failing commit..";
         }
    }
    /*
    - Making sure the whole protocols/ldp section is not deleted/deactivated.
    - The commit will fail if this is the case.
     */
    call error-if-missing($must = protocols/ldp, $statement = "protocols ldp") {
        with $message = {
            expr "The LDP protocol is missing, failing commit..";
         }
    }
    /*
    - Check that the protocol is not disabled...
     */
    call error-if-present($must = protocols/ldp/disable) {
        with $message = {
            expr "The LDP protocol is disabled, failing commit..";
         }
    }
}
/*
    - Make sure snmp 0/0 is not configured. It would mess up with auto-filter !QQ
    - The commit will fail if this is the case.
     */
/*
- This is where we can generate custom error/warning messages
- by modifying the default templates.
 */
template warn-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {
 
    if (not($must)) {
        <xnm:warning> {
            <edit-path> {
                copy-of $statement;
            }
            <message> {
                copy-of $message;
            }
        }
    }
}
/*                  
-
-
-
 */
template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {
 
    if (not($must)) {
        <xnm:error> {
            <edit-path> {
                copy-of $statement;
            }
            <message> {
                copy-of $message;
            }
        }
    }
}
/*
-
-
-
 */
template error-if-present ($must = 1, $message = "invalid configuration statement") {
    /* give error if param missing */
 
    for-each ($must) {
        <xnm:error> {
            call jcs:edit-path();
            call jcs:statement();
            <message> {
                copy-of $message;
            }
        }
    }
}