Odd problems with RANCID and config.xml



  • A long time ago, I set up my pfSense firewalls to backup their configs via. rancid, based on this thread: https://forum.pfsense.org/index.php?topic=54029. The rancid pieces work very well, but I'm seeing something very odd on one of my firewalls (I have two in a CARP pair).

    One of them works fine, I only get notified when the config really changes. However, the secondary is almost constantly seeing config changes.  The code that polls the config is pretty simple:

    cat /conf/config.xml | sed '/<patches>/,/<\/patches>/d;/<revision>/,/<\/revision>/d;/ <last_rule_upd_ d'<="" pre="">(that sed is in there to strip out things that frequently change). The detected changes are always in the aliases config and it looks like they always start after the fw02_lan alias. Sometimes the change is as simple as a single interface changing, sometimes an entire set of aliases disappears and then reappears at the next polling cycle. For example, this morning I saw this (IP addresses have been obscured):
    

    fw02 |    3 +--
    1 file changed, 1 insertion(+), 2 deletions(-)
    Index: configs/fw02

    retrieving revision 1.2544
    diff -u -4 -r1.2544 fw02
    @@ -5812,10 +5812,9 @@
      <name>fw02_lan</name>

    <address>172.16.xxx.xxx 2602:xxxx:xxxx:xxxx:xxxx::x</address>

    <type>host</type>

    • 	 <detail>- 		 <alias>+ 			 <detail><alias><name>fw02_sync</name>
      

    <address>172.16.xxx.xxx</address>

    <type>host</type></alias></detail></alias></detail>

    
    Followed at the next poll cycle by:
    

    fw02 |    3 ++-
    1 file changed, 2 insertions(+), 1 deletion(-)
    Index: configs/fw02

    retrieving revision 1.2545
    diff -u -4 -r1.2545 fw02
    @@ -5812,9 +5812,10 @@
      <name>fw02_lan</name>

    <address>172.16.xxx.xxx 2602:xxxx:xxxx:xxxx:xxxx::x</address>

    <type>host</type>

    • 	 <detail><alias>+ 			 <detail></detail></alias> 
      
    •  <alias><name>fw02_sync</name>
      

    <address>172.16.xxx.xxx</address>

    <type>host</type></alias></detail>

    
    Notice that neither one of those is complete, they are both missing the '' closing tag and a newline.
    
    I have never been able to reproduce the missing data when I am logged into the system and running the cat/sed command above. I initially thought it might be an issue with the xmlrpc sync writing to the file at the same time rancid is polling it, but that doesn't seem to be the case since the above two diffs happened at 8:01 and 9:01 this morning, and the config was last updated at 6:05 am.
    
    Does anyone have any ideas what might be going on? Any thoughts for a fix other than just not polling my secondary firewall with rancid?</last_rule_upd_></revision></patches>