Hi guys,
I would like to export the config of several Mikrotik routerboards (all running on ROS 7) to a FTP server. Anyone that can help me with a script that I can copy/paste into the scheduler?
Thanks!
short answer:
/system backup save name="backup"
/tool fetch address=server.ip.addr src-path="backup.backup" user=ftp.user mode=ftp password=ftp.passwd dst-path="backup.backup" upload=yes
long answer:
Be sure to set right permissions for your script / scheduler task
(this page contains some examples)
Only as side note, backup and export are two different things, each with its own merits and uses.
AFAIR backup is a binary thing while export is in text.
Some people prefer text format so they can store it into a git (or some other vcs) to see the difference. Or, even, edit it manually.
Backup is nice because it contains everything and can be reapplied on the save device.
Backup files get .backup extension by default, while export uses .rsc.
Export doesn't contain passwords and other secrets by default (unless you ask for it explicitly).
There is the .rcs "community" library created (and maintanined!) by @eworm available at the following URL's:
- https://git.eworm.de/cgit/routeros-scripts/
- GitHub - eworm-de/routeros-scripts: a collection of scripts for MikroTik RouterOS
@kriskenbe Answering your question. You could take a look at this script in the library, backup-upload
That's nice, is there a way to trigger it whenever configuration changes? Or is schedule the closest we can get?
You would probably not want to backup/export on each and every configuration change step.
So a scheduled backup is likely best, at an interval that you prefer.
It is possible, although tricky, using scripting to determine if something has been changed.
Unfortunately exports are incomplete. They do not contain users and certificates. That really should be fixed.
1 Like
But there's no way to retrieve the cleartext password, so the "salted" hash should be exported and a way to reimport it.
Certificates should also be exported in "classic" text format... with the risk for the cleartext private keys...
a password should be provided for both exporting and reimporting the export to encrypt and decrypt the private keys...
and other more sensitive data...
Of course. I did not think I would have to add that.
It should be a separate option to have the certificates, just like there is an option for sensitive data.
Directly supported by RouterOS would be better.
If I had time (this winter), I could make a script that does the RExport and RImport (excuse the pun...).
I've already studied in another topic how to ACTUALLY export everything to RouterBOARD, minus the user passwords.
If you skip backing up the entire files folder (which is obviously out of place), it might be feasible.
certificates public/private
ssh host key public/private
software license
export config (with sensitive)
export users (without password for obvious reasons)
skins [not directly considered on the link]
list of installed packages [not considered on the link]
User-Manager database
The Dude database
About username and passwords...
If is used internal user-manager for RouterOS user accounting,
can be exported all users with passwords included, (except admin that must exist as root user)...
Well, my simple use case is that I have custom API group and user (read-only) configured in a router, and when I /export it only the group is exported and not the user.
When I want to clone the router to a standby device I export the config, run it through a simple script to remove things the other router does not support, then do a reset-configuration with keep-users, no-default-config, and run-after-reset of that modified script.
Then I run into the issue (unless my script removes it) that the export contains the group definition but the destination router already has it, and the import fails.
I would prefer it when I could omit the keep-users flag and have both users and groups set to what they are on the main router.
For that, I need an export of the users that is good enough to be imported again on an empty router.
That would likely mean a "/user set" for the admin and a "/user add" for each of the other users.
Of course there would be no "password=abcde" parameter but instead a "password-hash=long_string" that would set the password as it was stored.
Same for trusted SSH keys and certificates.
Other files like skins and user manager database not required as mechanisms are already present to backup/restore these. In fact I would prefer when the user manager users would be moved to the database instead of being in the main config.
Would be interesting to see a script support rsync now that it's available in mikrotik devices 