Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4933
Views
0
Helpful
3
Replies

TCL EXEC command not available in EEM scripts

Go to solution
fabios
Level 1
Level 1

‎12-11-2011 12:24 AM

Hello all,

I am in the process of writing a script that checks the ip assigned to an interface (Dialer assigned by PPPoE) checks a FQDN resolution and if the two IP do not match retrieve an URL hence updating a Dynamic DNS (I know there is built in support in IOS for dynamic DNS but it does not always work and I need to make sure I can reach remotely the router).

The issue is when I run the script from the CLI it appears to work, when I register it in the EEM infrastructure it seems some command fail

like exec or using the http.tcl standard library:

Is there any limitation? I could not find any and I would expect that what works in the CLI TCL interpreter would work in the EEM scripts.

Any toughts?

Fabio

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: invalid command name "exec"

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:     while executing

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: "exec "show ip interface brief | exclude unassigned""

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:     invoked from within

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: "$slave eval $Contents"

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:     (procedure "eval_script" line 7)

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:     invoked from within

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: "eval_script slave $scriptname"

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:     invoked from within

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: "if {$security_level == 1} {       #untrusted script

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:      interp create -safe slave

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:      interp share {} stdin slave

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:      interp share {} stdout slave

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: ..."

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: Tcl policy execute failed:

Dec 11 08: 12:00.275: %HA_EM-6-LOG: ddnsupdate.tcl: invalid command name "exec"

Dec 11 08: 12:05.599: %PARSER-5-CFGLOG_LOGGEDCMD: User:fabio  logged command:!exec: enable

Dec 11 08: 12:24.823: %PARSER-5-CFGLOG_LOGGEDCMD: User:fabio  logged command:no event manager policy ddnsupdate.tcl

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mtimm
Cisco Employee
Cisco Employee

‎12-11-2011 07:09 AM

Hi Fabio,

EEM runs TCL in Safe-TCL mode.  This is documented here:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl.html#wp1174624

Exec is not allowed from Safe-TCL.  The proper way to do this from EEM is to use the EEM cli library, open a tty with cli_open, send the commands you want and read the responses using cli_write/cli_read and/or cli_exec then close the cli if you want using cli_close or let the script end.

Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mtimm
Cisco Employee
Cisco Employee

‎12-11-2011 07:09 AM

Hi Fabio,

EEM runs TCL in Safe-TCL mode.  This is documented here:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl.html#wp1174624

Exec is not allowed from Safe-TCL.  The proper way to do this from EEM is to use the EEM cli library, open a tty with cli_open, send the commands you want and read the responses using cli_write/cli_read and/or cli_exec then close the cli if you want using cli_close or let the script end.

Mike

0 Helpful

Go to solution
fabios
Level 1
Level 1
In response to mtimm

‎12-11-2011 10:07 PM

Hi Mike,

thanks! You are obviusly spot on I found that out in the docs (which do not spell this out but documentate cli_exec and the cli_ familyof functions).

Now I managed to run thos commands and they block until output is returned.

I did not have time to chack it and I will once I am back from a long trip but is runing a TCL script from EEM Tcl script an option? i.e:

cli_exec fd "tclsh myscript.tcl"

The reason I am asking is because http or base64 libs generate errors if loaded in EEM scripts but work in plain TCP scripts (the one you ran from kron or CMD line) therefore I could spawn a tty with the cli_open and run them with a cli_exec.

Would this be a breach of the safe mode or wold be allowed?

Also the tty that is created is in enable mode and so all commands are available or is in user mode?

Sorry for hitting you with so many questions but Cisco docs on TCL is a bit scarse and sparse.

Fabio

0 Helpful

Go to solution
mtimm
Cisco Employee
Cisco Employee
In response to fabios

‎12-12-2011 08:25 AM

Hi Fabio,

cli_exec will block but cli_write will not.  With cli_write you are simply writing to the tty and then you are expected to read from the tty to determine if you received back what you wanted using cli_read or cli_read_pattern.

Calling a tcl script from within eem Tcl can be done but it is not advisable as it opens another tcl shell and duplicates the resources of Tcl.  Assuming you are using a version that supports it, you are better off implementing the script in EEM as a multi-event policy that allows for what ever event you want to normally trigger it as well as a none event so you can run it from the cli if that is really a requirement.

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents