Semi-Automating CPE ROS/Firmware/script updates and setting changes

From MikroTik Wiki
Revision as of 20:30, 20 August 2012 by Earthstation (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

Imagine this scenario. You have numerous AP's and hundreds of CPE's, and you want to add a script or change a setting, or upgrade the RouterOS to the newest version, or check the firmware is at the latest available version. If you don't have a way of rolling this out automatically, then you are going to spend many hours logging into each CPE and doing it manually. So why not log in once more, implement this solution, and never have to log into a CPE's again to do these tasks?

By following the process below you will only have to manually access your existing client units one last time, to load the scripts below. Once the CPE's are loaded with the scripts they will automatically update their ROS versions and Firmwares when you trigger the scripts by enabling on the relevant IP's that the CPE netwatch routines will detect and run the update scripts. For your own peace of mind and general security considerations, you manually control when this happens.

NOTE: I have borrowed liberally from other script writers and thank them for their assistance. I claim no copyright on any of this coding. Use it as you wish, also test before going onto production units. Used at your own risk.


At a Central Point

1. On a Mikrotik AP or Edge/Gateway Router - this is where you place upgrade script file and ROS update files in future.

Create IP addresses (a unique subnet) on an ethernet port as per the example below. These IP's do not have to be on a dedicated ethernet port,as Mikrotik allows creation multiple IP's/subnets on a single interface. Please note that these IP address's are disabled. They are only enabled when you wish to trigger the update routines on the CPE's.


 /ip address 
 add address=172.16.0.1/24 comment="CPE File Upgrade" disabled=yes interface=ether1 network=172.16.0.0
 add address=172.16.0.2/24 comment="RouterOS Upgrade" disabled=yes interface=ether1 network=172.16.0.0
 add address=172.16.0.3/24 comment="Firmware Upgrade" disabled=yes interface=ether1 network=172.16.0.0
 add address=172.16.0.4/24 comment="Force CPE Reboot" disabled=yes interface=ether1 network=172.16.0.0


That is all the scripting you will be required to do on the edge/gateway-router/AP. You will need to ensure that your network routing tables at each AP, know where to find the IP subnet created above, so the CPE's Netwatch routines you will soon create, will know where to find the trigger IP's.

On Each CPE

2. Now we create to script that fetches the client unit upgrade file (always called upgrade.rsc, unless you change it in the script below). This needs to be done ONCE on every CPR. It will be useful to add this script to the config.rsc file you use to setup new CPE's.

The "Upgrade Script" to be installed on all your CPE's:

/system script
add name=rscfetch policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="{\r\
 \n:global ftpserver\r\
 \n:global usrnme\r\
 \n:global passwd\r\
 \n:global pckgname\r\
 \n\r\
 \n:set pckgname (\"upgrade.rsc\")\r\
 \n###########################################\r\
 \n# Set the package name above as you wish. Remember that your upgrade file (NOT the ROS files) must in \r\
 \n#       future, have the same name as what you set here.\r\
 \n# Set the IP below, to exactly the same as the trigger IP you added with the comment "CPE File Upgrade"\r\
 \n# in step 1. Replace "admin" and "password" below with the correct settings to allow ftp access to \r\
 \n# the server.\r\
 \n###########################################\r\
 \n:set ftpserver \"172.16.0.1\"\r\
 \n:set usrnme \"admin\"\r\
 \n:set passwd \"password\"\r\
 \n\r\
\n:if ([:len [/file find name=\"upgrade\"]] = 0) do={:log error \"Downloading Upgrade File - \$pckgname\"\r\
 \n ;/tool fetch address=\"\$ftpserver\" src-path=\"\$pckgname\" user=\"\$usrnme\" \r\
 password=\"\$passwd\" mode=ftp;/import upgrade.rsc} else={:log error \"No Upgrade File Found\";}\r\
   \n}"


3. Now add a netwatch routine to the CPE to trigger the script to fetch and load the upgrade.rsc file.

/tool netwatch
add disabled=no down-script="" host=172.16.0.1 interval=1m timeout=1s up-script=rscfetch;

4. Add the source for future ROS upgrades. In our case we use the same IP as the trigger IP set in step 1 with the comment ""RouterOS Upgrade". You will be prompted for the password when you add this, it cannot be coded into the script.

/system upgrade upgrade-package-source
add address=172.16.0.2 user=admin

Summary of Steps 2 to 4, a single cut 'n paste, to terminal window on the CPE.

5. Summing up the required CPE scripts above, you can edit and load the following onto each CPE in one routine (cut and paste to a terminal window)

Summary CPE Code (This is the ONLY script you need to load on your CPE's.)

   /system script
  add name=rscfetch policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="{\r\
   \n:global ftpserver\r\
   \n:global usrnme\r\
   \n:global passwd\r\
   \n:global pckgname\r\
   \n\r\
   \n:set pckgname (\"upgrade.rsc\")\r\
   \n:set ftpserver \"172.16.0.1\"\r\
   \n:set usrnme \"admin\"\r\
   \n:set passwd \"password\"\r\
   \n\r\
   \n:if ([:len [/file find name=\"upgrade\"]] = 0) do={:log error \"Downloading Upgrade File - \$pckgname\" \r\
   \n;/tool fetch address=\"\$ftpserver\" src-path=\"\$pckgname\" user=\"\$usrnme\" \r\
   \n password=\"\$passwd\" mode=ftp;/import upgrade.rsc} else={:log error \"No Upgrade File Found\";}\r\
   \n}"
  /tool netwatch
  add disabled=no down-script="" host=172.16.0.1 interval=1m timeout=1s up-script=rscfetch;
  /system upgrade upgrade-package-source
  add address=172.16.0.2 user=admin;
 

Remember to add the password for the upgrade source when prompted at the end of the routine.

Only once ALL CPE's are update with scripts from Step 2 to Step 4 or via the Summary Code in Step 5, proceed to Step 6.

Create the file upgrade.src

6. Now we can create an upgrade.rsc file (or whatever name you designated as $pckgnme above), to load to 172.16.0.1

File upgrade.rsc below, assumes the IP triggers set in Step 1 are correctly referenced below.

 :if ([file find type=".rif file"]!="") do={/file remove [find type=".rif file"]}
 :if ([file find type=".tar file"]!="") do={/file remove [find type=".tar file"]}
 :if ([file find type="backup"]!="") do={/file remove [find type="backup"]}
 :if ([file find type="script"]!="") do={/file remove [find type="script"]}
 /system backup save;
 :delay 10s;
 /system script
 :if ([find name="upgrade"]!="") do={remove [find name="upgrade"]}
 add name=upgrade policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="{\r\
   \n:global NewV\r\
   \n:global pckgname\r\
   \n\r\
   \n/system upgrade refresh;\r\
   \n\r\
   \n:delay 30s;\r\
   \n:set NewV [/system upgrade get [/system upgrade find name=\"routeros-mipsbe\"] version]\r\
   \n\r\
   \n:set pckgname (\"routeros-mipsbe-\". \$NewV . \".npk\")\r\
   \n:set ntpname (\"ntp-\". \$NewV . \"-mipsbe.npk\")\r\
   \n\r\
   \n:if ([/system upgrade get [/system upgrade find name=\"routeros-mipsbe\"] status]!=\"installed\")\r\
   \n do={/system backup save;:log error \"Downloading Latest Version file - \$pckgname\";/system \r\
   \nupgrade download [/system upgrade find name=\"routeros-mipsbe\"];} else=\r\
   \n{:log error \"Latest Version file - \$pckgname already installed\";}\r\
   \n\r\
   \n}\r\
   \n\r\
   \n"
  :if ([find name="upgradefirm"]!="") do={remove [find name="upgradefirm"]}
  add name=upgradefirm policy=\
   ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
   source="{\r\
   \n:global oldfirm [/system routerboard get current-firmware];\r\
   \n:global newfirm [/system routerboard get upgrade-firmware];\r\
   \n:if ([\$oldfirm]<[\$newfirm]) do={:if ([/tool netwatch get [find host=\"172.16.0.4\"] disabled]=yes)\r\
   \n do={/tool netwatch set [find host=\"172.16.0.4\"] disabled=no;}}\
   \r\
   \n\r\
   \n:if ([\$oldfirm]<[\$newfirm]) do={/system routerboard upgrade;}\r\
   \n}\r\
   \n"
   \n:if ([find name="rebooting"]!="") do={remove [find name="rebooting"]} \r\
   add name=rebooting policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,\r\
  \napi source=\":if ([/tool netwatch get [find host=\"172.16.0.4\"] disabled]=no)\r\
  \n do={/tool netwatch set [find host=\"172.16.0.4\"] disabled=yes;}\r\
   \n:delay 20s;\r\
   \n/system reboot;\r\
   \n"
# Ensure that the IP addresses set in the NETWATCHS's below match the IP's you set in Step 1 above.
/tool netwatch
:if ([find host="172.16.0.2"]!="") do={remove [find host="172.16.0.2"]}
:if ([find host="172.16.0.3"]!="") do={remove [find host="172.16.0.3"]}
:if ([find host="172.16.0.4"]!="") do={remove [find host="172.16.0.4"]}
 \n:if ([find host="172.16.0.2"]="") do={add disabled=no down-script="" host=172.16.0.2\r\
 \n interval=1m timeout=1s up-script=upgrade} \r\
\n:if ([find host="172.16.0.3"]="") do={add disabled=no down-script="" host=172.16.0.3\r\
\n interval=1m timeout=1s up-script=upgradefirm}\r\
\n:if ([find host="172.16.0.4"]="") do={add disabled=yes down-script="" host=172.16.0.4\r\
\n interval=1m timeout=1s up-script=rebooting}\r\

File upgrade.rsc in more detail

For explanation purposes, we have the upgrade.rsc code explained in detail below.

The first part of the script clears certain file types to ensure that the CPE's do not become congested with numerous files, and it then makes a backup of the CPE's configuration.

 :if ([file find type=".rif file"]!="") do={/file remove [find type=".rif file"]}
 :if ([file find type=".tar file"]!="") do={/file remove [find type=".tar file"]}
 :if ([file find type="backup"]!="") do={/file remove [find type="backup"]}
 :if ([file find type="script"]!="") do={/file remove [find type="script"]}
 /system backup save;
 :delay 10s;


The next section loads scripts onto the CPE. The first script is to upgrade the ROS on the CPE. This does not need to be edited, as it runs via the system upgrade resource function. This is triggered by enabling 172.16.0.2 as set in Step 1.

/system script
:if ([find name="upgrade"]!="") do={remove [find name="upgrade"]} 
add name=upgrade policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="{\r\
   \n:global NewV\r\
   \n:global pckgname\r\
   \n\r\
   \n/system upgrade refresh;\r\
   \n\r\
   \n:delay 30s;\r\
   \n:set NewV [/system upgrade get [/system upgrade find name=\"routeros-mipsbe\"] version]\r\
   \n\r\
   \n:set pckgname (\"routeros-mipsbe-\". \$NewV . \".npk\")\r\
   \n:set ntpname (\"ntp-\". \$NewV . \"-mipsbe.npk\")\r\
   \n\r\
   \n:if ([/system upgrade get [/system upgrade find name=\"routeros-mipsbe\"] status]!=\"installed\")\r\
   \n do={/system backup save;:log error \"Downloading Latest Version file - \$pckgname\";/system\r\
   \n upgrade download [/system upgrade find name=\"routeros-mipsbe\"];} else={:log\r\
   \n error \"Latest Version file - \$pckgname already installed\";}\r\
   \n\r\
   \n}\r\
   \n\r\
   \n"

The next 2 Scripts to be added to the CPE control the Firmware upgrade and reboot. It is suggested that these two only be triggered AFTER a ROS upgrade, as very often the firmware only changes once a ROS upgrade is carried out. These is triggered by enabling 172.16.0.3 and 172.16.0.4 as set in Step 1. The firmware upgrade script compares the current version with the new version, and updates if a difference exists. If a difference in versions exists it also turns on the netwatch to set a reboot in motion.


:if ([find name="upgradefirm"]!="") do={remove [find name="upgradefirm"]}
add name=upgradefirm policy= ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
   source="{:global oldfirm [/system routerboard get current-firmware];\r\
   \n:global newfirm [/system routerboard get upgrade-firmware];\r\
   \n:if ([\$oldfirm]<[\$newfirm]) do={:if ([/tool netwatch get [find host=\"172.16.0.4\"] disabled]=yes)\r\
   \n do={/tool netwatch set [find host=\"172.16.0.4\"] disabled=no;}}\
   \r\
   \n\r\
   \n:if ([\$oldfirm]<[\$newfirm]) do={/system routerboard upgrade;}\r\
   \n}\r\
   \n"
 :if ([find name="rebooting"]!="") do={remove [find name="rebooting"]}
  add name=rebooting policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api\r\
  \n source=\":if ([/tool netwatch get [find host=\"172.16.0.4\"] disabled]=no)\r\
  \n do={/tool netwatch set [find host=\"172.16.0.4\"] disabled=yes;}\r\
   \n:delay 20s;\r\
   \n/system reboot;\r\
   \n"

Finally we add the additional netwatches required to trigger the various routines on the CPE. The script tests if the netwatch hosts already exist, if so, deletes them, and then adds new netwatch routines.


/tool netwatch
:if ([find host="172.16.0.2"]!="") do={remove [find host="172.16.0.2"]}
:if ([find host="172.16.0.3"]!="") do={remove [find host="172.16.0.3"]}
:if ([find host="172.16.0.4"]!="") do={remove [find host="172.16.0.4"]}
 \n:if ([find host="172.16.0.2"]="") do={add disabled=no down-script="" host=172.16.0.2\r\
 \n interval=1m timeout=1s up-script=upgrade} \r\
\n:if ([find host="172.16.0.3"]="") do={add disabled=no down-script="" host=172.16.0.3\r\
\n interval=1m timeout=1s up-script=upgradefirm}\r\
\n:if ([find host="172.16.0.4"]="") do={add disabled=yes down-script="" host=172.16.0.4\r\
\n interval=1m timeout=1s up-script=rebooting}\r\

How it all fits together and functions when you need it.

To make additions to CPE scripts, upgrade ROS versions, adjust firmware versions, load upgrade.rsc and the ROS package file to the files on 172.16.0.1. Then enable IP addresses 172.16.0.x, depending on what you want to upgrade. To simply change settings/add scripts etc on a CPE, enable 172.16.0.1. For ROS upgrades, enable 172.16.0.2. To do a firmware upgrade, enable 172.16.0.3 AND 172.16.0.4.

Always test the upgrade.rsc script on a single CPE before activating the network wide IP trigger. To do this, load the upgrade.rsc file to 172.16.0.1, then log into a CPE, and

 /system script run rscfetch

and observe the outcome. Obviously this will be safest on a CPE that is physically nearby you, in case you accidentally shut down a WLAN interface or disable something requiring you to reset the CPE.

Once you are satisfied that the upgrade.rsc is not going to try take over the world/put all your CPE's to sleep, then enable IP 172.16.0.1 on the AP/Edge Router/Gateway Router. This will set all your CPE's in motion to download and implemen your upgrade.rsc file, which in turn will then allow auto ROS upgrades and Firmware upgrades as controlled by your enabling of the trigger IP's.

Remember to disable the trigger IP's after a reasonable period to prevent constant downloading of the upgrade file each time a unit powers up, or reconnects to the network, thus triggering the netwatch to run the rsfetch script.

This has been tested and works on ROS v5.20, and has been in production with us since v4.17.

This might be useful to the less skilled operators who need to simplify adjusting items on their Client Units.

Brian

Zimbabwe