Hi,
I would like to suggest a feature, it would be really-really nice to have a
keep-sshkeys
option or similar to /system reset-configration command. The only way to load a configuration without failures (due to differences in “add” and “set”) is this command with run-after-reset option, but unfortunatelly it regenerates ssh keys too which makes it unusable. If it could preserve it’s digital identity, my problem would be solved.
that would mean, that someone could completely reconfigure your router and you would not notice that something has changes and would use compromised router. I guess you do not want that to happen, do you?
at least this is how i look at that.
baldaszti how would you use this? why do you need to reset something, and keep the users? reset means reset, remove all config. if you want to reconfigure only some part, use IMPORT command to set new values to existing config, without reset.
Hi normis,
We’ve bought over 10 devices and I have to send configuration from a central management system via ssh (scp+import). I need to reset config because /export generates “add” command (in /ip address for example) which will obviously fail on /import. There’s no way to generate and send differential commands, our company’s policy demands that the central management must contain exactly the same config as the device’s.
not necessarily. you can edit the RSC file and issue “remove” commands before adding the new addresses. RSC (Import) file is basically a file that contains RouterOS commands. whatever you can do in console, you can do from this file. This way you can issue commands to remove all other config, and apply only what is needed.
As I mentioned I cannot edit the RSC file (nor by manually due to number of devices, nor by script due to company policy). Why is it a big deal to keep keys like user information during reset? Call it “keep-identity” if you like. Please, we cannot use your devices until there’s a method of saving and restoring configuration in a human readable format (containing cli commands) without loosing the router’s identity. I wouldn’t ask if I could find any other solution.
You are wrong. To do so you would need a key authenticated ssh prompt (which I cannot use now, since the router’s identity changes).
creating a new function in RouterOS is not so easy.
somebody else will ask for “keep wireless keys”, “keep user manager db”, “keep routes” etc. we need to figure out a solution that helps everyone
for rapid config of routers with RSC files, you can also use Flashfig:
http://wiki.mikrotik.com/wiki/Manual:Flashfig
why can’t you edit the RSC files?
“keep-identity” looks quite universal to me. I’m not talking about routes, wifis and other provided services, but the safe identification of the router itself on management side.
for rapid config of routers with RSC files, you can also use Flashfig:
http://wiki.mikrotik.com/wiki/Manual:Flashfig
Flashfig is not an option since the routers are not on the same l2 network (in fact they are hundreds of km away), neither use our cms windows. I’ve already integrated routeros to our cms, I can read and upload configuration perfectly, I only need a way to load an unmodified /extract output without failures or loosing the router’s identity.
why can’t you edit the RSC files?
As I’ve told you by hand it would take too much time, and our company policy does not allow scripts (no home-made configuration manipulating script would ever pass on audit, it’s a question of responsibility).
anyway, you still have only one option. tell the management that their policy is blocking your goal.
editing by hand will not take a lot of time. not more than configuring one router. just paste needed commands in a text file, that’s it.
I cannot. We’re administrating a huge amount of devices from different manufacturers, and RouterOS is the only one that fails. And it’s not the management that write the rules, we got them from the auditor.
And I do have another option, ask the kind developer to put a small “if” statement in the code around the “rm .ssh/id” command (come on, we paid for a dozen level 6 licenses with support, shouldn’t it be enough?).
editing by hand will not take a lot of time. not more than configuring one router. just paste needed commands in a text file, that’s it.
Editing 1 configuration and about 20 DOES TAKE considerably more time. Not to mention the possibility of errors (typos or pasting the same management ip for more routers and other problems).
while you were writing this post, you would have completed editing the file. you only need to do this once, as you will use it for all the routers.
sorry but I can’t help you in any other way. import/export was designed for this reason.
Sorry, but you’re wrong. They use different ip addresses for example (as I wrote before) which involves human error that we cannot afford.
sorry but I can’t help you in any other way. import/export was designed for this reason.
In this case why can’t I import a config generated from export without modifications (adding plus remove commands)? Shouldn’t it be so?
to import ‘file.rsc’, try “/system reset-configuration run-after-reset=file.rsc”
good point. I would be happy with this, it would solve my problem.
- to import ‘file.rsc’, try “/system reset-configuration run-after-reset=file.rsc”
That’s exactly what I’m trying to do. It works fine, the only problem is the loss of authentication (ssh key changed).
The router 5.6 is great one and having the new features of configuration as well as the modulation of access and sharing.
So what about preserving keys if “keep-users=yes” flag used? No new function involved, you don’t even have to alter the documentation… Please, I really need this, and you can bet I’m not the only one who wants to restore full configuration.
Indeed. I’d also rather like this.
What new fetaures of configuration do you mean?
Btw I tested 5.6 with factory default configuration, same results:
[admin@MikroTik] > /export file=test.rsc
[admin@MikroTik] > /import file=test.rsc
Opening script file test.rsc
Script file loaded successfullyfailure: pool with such name exists
[admin@MikroTik] >
This is obviously a “no remove before add command” problem.
I also tried
/system reset-configuration run-after-reset=test.rsc
now the device is totally dead.
I cannot communicate with it, not by L2 (winbox simply does not see it, no response from device to udp/5678), nor L3 (no response to arp requests for 192.168.88.1). Just for the records I use direct cable which worked until the reset was performed. I dumped on the interface, I see only CDP announcements coming from the device, nothing else.
It seems to me that 5.6 is even buggier than 5.5.
It seems to me that 5.6 is even buggier than 5.5.
where is the bug? that you ran import on a configured system? please read the manual on how import/export works.