„software-oriented“ network...

1(C) 2010, Petr Grygarek

„„Software-oriented“ network Software-oriented“ network managementmanagement


Network AutomationNetwork Automation

Necessary for agility in networking, which is Necessary for agility in networking, which is limited by manual worklimited by manual work

- faster changes (- faster changes (both customer deployments and decomissions)both customer deployments and decomissions)

- more reliable changes – limits human errors- more reliable changes – limits human errors

- scalable changes even over lot of devices- scalable changes even over lot of devices


GoalsGoals• Vendor-neutral automation of network Vendor-neutral automation of network

configurationconfiguration

• Present network devices and network to Present network devices and network to automation/orchestration programmer in a way automation/orchestration programmer in a way natural in traditional programmers' worldnatural in traditional programmers' world• (distributed) database with well-known API and (distributed) database with well-known API and

transaction supporttransaction support

• As basic networking concepts are defined for As basic networking concepts are defined for years, stable network service abstractions years, stable network service abstractions can/should be defined nowcan/should be defined now


Problems with current Problems with current management methods (1)management methods (1)

• SNMP failed completely as configuration SNMP failed completely as configuration management protocolmanagement protocol• respective MIB objects are not unified across vendors or not respective MIB objects are not unified across vendors or not

defined at alldefined at all

• command ordering problemscommand ordering problems

• lack of atomicity – distributed transactions over multiple deviceslack of atomicity – distributed transactions over multiple devices

• as a result, SNMP is widely used just for network monitoringas a result, SNMP is widely used just for network monitoring

• CLI scripting is mostly used insteadCLI scripting is mostly used instead• the advantage is that a rich set of freely available text-processing the advantage is that a rich set of freely available text-processing

tools can be utilizedtools can be utilized


Problems with current Problems with current management methods (2)management methods (2)

• No common data model exists even for basic No common data model exists even for basic configuration elementsconfiguration elements

• e.g. static routese.g. static routes

• Configuration and monitoring data are not Configuration and monitoring data are not clearly separated in MIBsclearly separated in MIBs


RFC 3535: Overview of the 2002 Internet RFC 3535: Overview of the 2002 Internet Architecture Board Network Management Architecture Board Network Management

Workshop Workshop

• Summarizes outcomes from IETF workshop Summarizes outcomes from IETF workshop with network operators and protocol developers with network operators and protocol developers focused on network management technologies focused on network management technologies currently being developed in IETFcurrently being developed in IETF

• Identifies common requirements of network Identifies common requirements of network operators for configuration managementoperators for configuration management


RFC 3535: Most important requirements RFC 3535: Most important requirements • Ease of useEase of use

• Clear separation between configuration and operation data (state)Clear separation between configuration and operation data (state)

• Configure network as a whole rather than configuring individual Configure network as a whole rather than configuring individual devicesdevices• distributed transactions support – atomic update of configuration on multiple devicesdistributed transactions support – atomic update of configuration on multiple devices

• Standard database scheme - data model common for all vendorsStandard database scheme - data model common for all vendors

• Proper operation ordering to get from state A to state B to be Proper operation ordering to get from state A to state B to be implemented inside managed device, not handled by NMSimplemented inside managed device, not handled by NMS

• Configuration backup Configuration backup & restore, provide the complete config at & restore, provide the complete config at once & paste to another device. Easy comparison of configurations.once & paste to another device. Easy comparison of configurations.

• Text-based configurations – allows usage of tools like diff, CVS etc.Text-based configurations – allows usage of tools like diff, CVS etc.

• Multiple configuration datastores support: decouple configuration Multiple configuration datastores support: decouple configuration transfer to managed device from its actual activationtransfer to managed device from its actual activation


NetConf and YANGNetConf and YANGThe model stems from best practices obtained during years of operating networks The model stems from best practices obtained during years of operating networks

using CLI scripting and SNMP and using CLI scripting and SNMP and conforms with RFC 3535conforms with RFC 3535 • NetConf NetConf

• domain specific protocol for configuration managementdomain specific protocol for configuration management

• remote primitives to edit configuration on managed device(s) by manipulating remote primitives to edit configuration on managed device(s) by manipulating respective data modelrespective data model

• YANGYANG• A data modelling language that describes individual configuration elements in A data modelling language that describes individual configuration elements in

vendor-independent manner (both semantics and exact data encoding)vendor-independent manner (both semantics and exact data encoding)

• Each managed device can provide supported data models that fully specify Each managed device can provide supported data models that fully specify how to manage ithow to manage it

NetConf messages contains payload formatted according to YANG NetConf messages contains payload formatted according to YANG specification for respective configuration element to be read or specification for respective configuration element to be read or manipulated manipulated


Dynamic nature of device's Dynamic nature of device's configuration modelsconfiguration models

• When network management system (NMS) When network management system (NMS) establishes NetConf session with managed device, establishes NetConf session with managed device, device sends Hello with a list of its „capabilities“ - device sends Hello with a list of its „capabilities“ - supported YANG models (both standard or vendor supported YANG models (both standard or vendor specific)specific)

• Netconf client can then download particular YANG Netconf client can then download particular YANG model from managed device (get-schema NetConf model from managed device (get-schema NetConf command) and configure the device according to command) and configure the device according to syntax/semantics specified theresyntax/semantics specified there


NetConfNetConfBase specifications:Base specifications:

RFC 6241: Network Configuration Protocol (NETCONF)RFC 6241: Network Configuration Protocol (NETCONF)

Some extensions:Some extensions:

• RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)

• RFC 6470: Network Configuration Protocol (NETCONF) Base RFC 6470: Network Configuration Protocol (NETCONF) Base NotificationsNotifications

• RFC 6022: YANG Module for NETCONF MonitoringRFC 6022: YANG Module for NETCONF Monitoring

• ......


NetConf Basic FeaturesNetConf Basic Features• Separates configuration and operation dataSeparates configuration and operation data

• Client-server architectureClient-server architecture• NMS act as a NetConf client, managed device is a NetConf NMS act as a NetConf client, managed device is a NetConf serverserver

• Implemented using layered modelImplemented using layered model

• Support multiple configuration datastores on managed devicesSupport multiple configuration datastores on managed devices• running / candidate / startup config. running / candidate / startup config.

• running config may not be directly writable.running config may not be directly writable.

• Configuration validation before commitConfiguration validation before commit

• Transactions over multiple managed devicesTransactions over multiple managed devices

• Selective configuration/operation data retrieval (filtering)Selective configuration/operation data retrieval (filtering)

• Notification events Notification events • streaming & playback of events of specified typestreaming & playback of events of specified type

Complexity is pushed from network management system to managed devicesComplexity is pushed from network management system to managed devices


Transactions in NetConf (1)Transactions in NetConf (1)Adheres traditional ACID properties:Adheres traditional ACID properties:

• Atomicity – performs all or nothing if something failsAtomicity – performs all or nothing if something fails

• Consistency - all operations specified in any order will Consistency - all operations specified in any order will be done at once in order that makes sense for managed be done at once in order that makes sense for managed devicedevice

• Independence - concurrent clients operate in parallel, Independence - concurrent clients operate in parallel, transactions are serialized internallytransactions are serialized internally

• Durability - done is doneDurability - done is done


Transactions in NetConf (2)Transactions in NetConf (2)• NMS is freed from complexity of „undoing“ partially successful NMS is freed from complexity of „undoing“ partially successful

actions (rollbackactions (rollback))

• compare with standardized SQL compare with standardized SQL with transaction supportwith transaction support

• huge saving of error handling code in NMShuge saving of error handling code in NMS

• Consistency feature guarantees that NMS does not need to define Consistency feature guarantees that NMS does not need to define operations in particular order (e.g. creation of interface does not have operations in particular order (e.g. creation of interface does not have to precede adding route via new interface in edit-config message) – to precede adding route via new interface in edit-config message) – managed device is responsible for proper ordering if it is neededmanaged device is responsible for proper ordering if it is needed

• Possibility to validate candidate configuration is a pre-requisite of Possibility to validate candidate configuration is a pre-requisite of commiting a distributed transaction (followed by candidate config commiting a distributed transaction (followed by candidate config activation on all devices)activation on all devices)

• Confirmed commit causes managed device to rollback automatically if Confirmed commit causes managed device to rollback automatically if second (confirming) commit is not sent in specified timeout or second (confirming) commit is not sent in specified timeout or management connection is brokenmanagement connection is broken


NetConf Layered ModelNetConf Layered Model

• TCPTCP

• SSHSSH/TLS + certificates/TLS + certificates• also handles authentication and contents encryptionalso handles authentication and contents encryption

• Remote Procedure Call semanticsRemote Procedure Call semantics

• Netconf commands and notifications (in XML) Netconf commands and notifications (in XML)

• Netconf commands payload (formatted Netconf commands payload (formatted according to respective YANG model)according to respective YANG model)


NetConf Messages (1)NetConf Messages (1)- Remote procedure call (RPC) paradigm- Remote procedure call (RPC) paradigm

- Messages are encoded in XML- Messages are encoded in XML

• get – reads either configuration or operational dataget – reads either configuration or operational data

• get-config – reads configuration dataget-config – reads configuration data• optional support for XPATH filteringoptional support for XPATH filtering

• edit-config – update part of configurationedit-config – update part of configuration• operations: merge, replace, create, delete / removeoperations: merge, replace, create, delete / remove

• defines how a configuration section will be combined with existing configdefines how a configuration section will be combined with existing config

• test-options: test-then-set (default), set, test-only (validation)test-options: test-then-set (default), set, test-only (validation)

• error-options: stop-on-error (default), continue-on-error, rollback-on-errorerror-options: stop-on-error (default), continue-on-error, rollback-on-error

• copy-config – copy config data between datastores, e.g. run to start copy-config – copy config data between datastores, e.g. run to start

• delete-config – delete entire configuration on a specified datastoredelete-config – delete entire configuration on a specified datastore


NetConf Messages (2)NetConf Messages (2)

• lock, unlock – lock specified datastore for exclusive accesslock, unlock – lock specified datastore for exclusive access

• optional partial lockoptional partial lock

• close session - closes management session gracefullyclose session - closes management session gracefully

• kill-session - closes management session forcefullykill-session - closes management session forcefully

• commit – copies candidate datastore to running configcommit – copies candidate datastore to running config

• discard-changes – deletes changes in candidate datastorediscard-changes – deletes changes in candidate datastore

• cancel-commit – abort a confirmed commit cancel-commit – abort a confirmed commit

• Confirmed commit: 2Confirmed commit: 2ndnd commit in specified timeout is commit in specified timeout is needed, otherwise rollback occurs needed, otherwise rollback occurs

• get-schema (RFC 6022) – get contents of particular YANG get-schema (RFC 6022) – get contents of particular YANG module listed in device's capabilitiesmodule listed in device's capabilities


How to play with NetConf ?How to play with NetConf ?

• Netconf browser Netconf browser • GUI that establishes SSH session to Netconf server GUI that establishes SSH session to Netconf server

and provides tools to send individual NetConf and provides tools to send individual NetConf commands with specified payloadcommands with specified payload

• various NetConf browsers (both free and various NetConf browsers (both free and commercial) are availablecommercial) are available

• netconf-console utilitynetconf-console utility• same as the above but in command line stylesame as the above but in command line style

• Python ncclient libraryPython ncclient library


YANGYANG(„Yet Another Next Generation“)(„Yet Another Next Generation“)

• Data modelling languageData modelling language• not an information modelling langauage (like UML) as it also describes not an information modelling langauage (like UML) as it also describes

implementation details (protocol-specific constructs, data representation on implementation details (protocol-specific constructs, data representation on wire, …) - not just a conceptual model (see RFC 3444)wire, …) - not just a conceptual model (see RFC 3444)

• … … which is why XML-based modelling languages were rejected which is why XML-based modelling languages were rejected and new language had to be specifiedand new language had to be specified

• RFC 6020 - YANG - A Data Modeling Language for the Network RFC 6020 - YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)Configuration Protocol (NETCONF)

• RFC 7950 - The YANG 1.1 Data Modeling LanguageRFC 7950 - The YANG 1.1 Data Modeling Language

• In principle, data modes corresponds to device APIIn principle, data modes corresponds to device API

• NetConf, RESTConf and any other RPC-style remote management NetConf, RESTConf and any other RPC-style remote management protocols' commands can be autogenerated equally easillyprotocols' commands can be autogenerated equally easilly


YANG Data ModelYANG Data Model• Abstraction of (part of) network configurationAbstraction of (part of) network configuration

• Defines configuration data or operation state Defines configuration data or operation state data (curent status, statistics, historical trends)data (curent status, statistics, historical trends)

• Tree structureTree structure

• Resource are identified by paths in the treeResource are identified by paths in the tree

• Instances of schema trees are called data trees Instances of schema trees are called data trees and are encoded in XML and are encoded in XML

Configuration is represented in hierarchical text-Configuration is represented in hierarchical text-oriented format which is advantageous for its oriented format which is advantageous for its further automated processingfurther automated processing


YANG ModulesYANG Modules

• Module = group of definitionsModule = group of definitions

• Every module has an unique namespaceEvery module has an unique namespace

• Module structure:Module structure:• header infoheader info

• imports/includesimports/includes

• type definitionstype definitions

• config & operational data definitionsconfig & operational data definitions

• action (RPC functions) and notification declarationsaction (RPC functions) and notification declarations


Basic YANG Language Constructs (1)Basic YANG Language Constructs (1)• Leaf nodes:Leaf nodes:

• Leaf = actual variable (at most one instance)Leaf = actual variable (at most one instance)

• LeafList = list of leafs (may have multiple instances)LeafList = list of leafs (may have multiple instances)

• Non-leaf nodes:Non-leaf nodes:

• Container = set of leaf or non-leaf nodes. At most one instance.Container = set of leaf or non-leaf nodes. At most one instance.

• List = like Container but may have multiple instances („container-List = like Container but may have multiple instances („container-list“)list“)

• key item defines unique (indexing) itemkey item defines unique (indexing) item

• other items may be also defined as uniqueother items may be also defined as unique

• Navigating in lists: /myList[name=‘Adam‘]/age = 32 Navigating in lists: /myList[name=‘Adam‘]/age = 32

• Leafref = reference to another existing leafLeafref = reference to another existing leaf

• Path or Xpath expressionPath or Xpath expression


Basic YANG Language ConstructsBasic YANG Language Constructs (2) (2)

• All leafs can be either R/W (config:true is default attribute) or R/OAll leafs can be either R/W (config:true is default attribute) or R/O

• Leaf with config:false is not provided by get_config()Leaf with config:false is not provided by get_config()

• Every element has a description field Every element has a description field => YANG modules are self-documenting => YANG modules are self-documenting


Common YANG Data TypesCommon YANG Data Types(RFC 6991)(RFC 6991)

• intN, uintN, decimal164=floatintN, uintN, decimal164=float

• stringstring

• enumenum

• bits = bit arraybits = bit array

• binary = BLOBbinary = BLOB

• leafref, identityref leafref, identityref

• typedef, union – like in Ctypedef, union – like in C

ietf-yang-types: - networking & SNMP-like data types ietf-yang-types: - networking & SNMP-like data types (ip addresses, counter, gauge, …)-(ip addresses, counter, gauge, …)-

Allowed values can be further restricted using range, length, Allowed values can be further restricted using range, length, pattern (regexp) and similar keywordspattern (regexp) and similar keywords


YANG: Leaf Definition SyntaxYANG: Leaf Definition Syntaxleaf L {leaf L {

type ttt;type ttt;

mandatory true/false;mandatory true/false;

config true/false;config true/false;

default: value;default: value;

description „xxx“;description „xxx“;

units U; // for displaying purposes onlyunits U; // for displaying purposes only

must <Xpath boolean constraint> must <Xpath boolean constraint>

// Tool to enforce semantics consistency, checks relations with values in other leafs// Tool to enforce semantics consistency, checks relations with values in other leafs

// All xPath 1.0 operators are allowed in the expression // All xPath 1.0 operators are allowed in the expression

when <Xpath expr> // leaf L can be used only if Xpath expression is truewhen <Xpath expr> // leaf L can be used only if Xpath expression is true

}}


YANG: Leaf-list Definition SyntaxYANG: Leaf-list Definition Syntax

leaf-list xxx {leaf-list xxx {

type ttt;type ttt;

}}


YANG: Container Definition YANG: Container Definition SyntaxSyntax

container CCC {container CCC {

leaf item1 { type ttt1 ];leaf item1 { type ttt1 ];

leaf item2 { type ttt2 ];leaf item2 { type ttt2 ];

container item3{ ... ];container item3{ ... ];

}}


Presence containersPresence containers

container ssh {container ssh {

presence „enables ssh“presence „enables ssh“

}}

creation of this container by NMS starts ssh creation of this container by NMS starts ssh service on managed device (as an usage example)service on managed device (as an usage example)


YANG: List Definition SyntaxYANG: List Definition Syntaxlist users {list users {

key “login-name”; // must be present key “login-name”; // must be present if config=True if config=True

leaf login-name {leaf login-name {

type string;type string;

}}

[unique] leaf full-name { [unique] leaf full-name {


}}

optional specs:optional specs: max-elements, min-elements, order-by, … max-elements, min-elements, order-by, …

}}


RPC ActionsRPC ActionsTriggered by NMSTriggered by NMS

Example action: activate_software_imageExample action: activate_software_image

rpc xxx {rpc xxx {

input {input {

type_definitiontype_definition

}}

output {output {

type_definitiontype_definition

}}

}}


RPC NotificationsRPC NotificationsNetConf client can subscribe to receive NetConf client can subscribe to receive notifications of specific type or ask NetConf notifications of specific type or ask NetConf server to playback notifications of some typeserver to playback notifications of some typenotification config_changed {notification config_changed {

description Configuration changes logging eventdescription Configuration changes logging event

leaf who {leaf who {


}}

leaf what {leaf what {


}}

}}


GroupingsGroupings

grouping = reusable subtree structuregrouping = reusable subtree structure

grouping GGG { grouping GGG {

……

}}

container CCC {container CCC {

uses GGG {uses GGG {

refine GGGitemX { definition_changed }refine GGGitemX { definition_changed }

}}

}}


AugmentingAugmenting

• Way of one module to „hook“ itself to another Way of one module to „hook“ itself to another module module

• For example, additional leaf can be added to For example, additional leaf can be added to existing container definition and create a new existing container definition and create a new typetype

• Transparent to Netconf clientTransparent to Netconf client


IdentitiesIdentities

• Advanced enums: hierarchical, extensibleAdvanced enums: hierarchical, extensible

• Type identityref: refers to base typeType identityref: refers to base type• all descendant values are also OKall descendant values are also OK


FeaturesFeaturesConditional extension of data model based on Conditional extension of data model based on availability of some „feature“availability of some „feature“

Features provided by Netconf server are present in Features provided by Netconf server are present in Hello messageHello messagefeature myFeat {feature myFeat {

description DDDdescription DDD

}}

container logging {container logging {

if-feature myFeat;if-feature myFeat;

… … entries to be included only if meFeat existsentries to be included only if meFeat exists

}}


YANG in practiceYANG in practice

pyang command-line utilitypyang command-line utility

• displays YANG model file graphically (tree)displays YANG model file graphically (tree)

• text, XML, ...text, XML, ...

• or just a particular model subtree starting at or just a particular model subtree starting at specified level specified level

• YANG format/syntax validationYANG format/syntax validation

• Cisco YDK – generates code with classes Cisco YDK – generates code with classes (Python/C++) based on particular YANG (Python/C++) based on particular YANG modelmodel


Standardized YANG data modelsStandardized YANG data models• IETFIETF

• official, long formal approval processofficial, long formal approval process

• https://github.com/YangModels/yanghttps://github.com/YangModels/yang

• OpenConfigOpenConfig• more agile, but sometimes multiple approved models more agile, but sometimes multiple approved models

for the same for the same functionalityfunctionality exist in exist in parallelparallel• http://www.openconfig.nethttp://www.openconfig.net

• ITU, IEEE, ETSI, MEF, …ITU, IEEE, ETSI, MEF, …

• Native modelNative model – some vendors expose their own (nonstandard) model for – some vendors expose their own (nonstandard) model for the device natural to device's config logics the device natural to device's config logics

• Sometimes they expose standard model with limited capabilites in parallelSometimes they expose standard model with limited capabilites in parallel


YANG Model CatalogYANG Model Catalog

• http://www.yangcatalog.org/http://www.yangcatalog.org/


Useful references for NetConf and YangUseful references for NetConf and Yang• NETCONF and YANG Tutorial part 1a: NETCONF and YANG Overview NETCONF and YANG Tutorial part 1a: NETCONF and YANG Overview

• https://www.youtube.com/watch?v=Vr4kB1_6fLQ https://www.youtube.com/watch?v=Vr4kB1_6fLQ

• NETCONF and YANG Tutorial Part 1b: Relation to SDNNETCONF and YANG Tutorial Part 1b: Relation to SDN

• https://www.youtube.com/watch?v=m6spTjQyTEohttps://www.youtube.com/watch?v=m6spTjQyTEo

• NETCONF and YANG Tutorial Part 2: NETCONFNETCONF and YANG Tutorial Part 2: NETCONF

• https://www.youtube.com/watch?v=xoPZO1N-x38#t=35.357354https://www.youtube.com/watch?v=xoPZO1N-x38#t=35.357354

• NETCONF YANG Tutorial Part 3: YANG NETCONF YANG Tutorial Part 3: YANG

• https://www.youtube.com/watch?v=33VBb6N4yOYhttps://www.youtube.com/watch?v=33VBb6N4yOY

• BRKNMS-2032 - YANG Data Modeling and NETFCONFBRKNMS-2032 - YANG Data Modeling and NETFCONF• https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93815https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93815

• Tail-F Systems technology brief: Instant YANGTail-F Systems technology brief: Instant YANG• http://www.tail-f.com/wordpress/wp-content/uploads/2014/02/Tail-f-Instant-YANG.pdfhttp://www.tail-f.com/wordpress/wp-content/uploads/2014/02/Tail-f-Instant-YANG.pdf

• Test workbench: 2x CSR1000V in VirtualBox with VagrantTest workbench: 2x CSR1000V in VirtualBox with Vagrant

• http://gitlab.cisco.com/rschmied/dp-workbenchhttp://gitlab.cisco.com/rschmied/dp-workbench


REST APIsREST APIs

• Not a standard, just a design principle (CRUID)Not a standard, just a design principle (CRUID)

• Resources identified by URLsResources identified by URLs

• HTTP operationsHTTP operations

• XML/JSON encoded dataXML/JSON encoded data


RESTConf RESTConf (RFC 8040)(RFC 8040)

• Lightweight HTTP API for NETCONF datastoresLightweight HTTP API for NETCONF datastores

• Limited functionality compared to NetConfLimited functionality compared to NetConf• REST =REST => operates on single resource at a time only, no transactions, no locking> operates on single resource at a time only, no transactions, no locking

• always operates on running config always operates on running config

• Get/Post/Patch/Delete HTTP commmands to edit resources Get/Post/Patch/Delete HTTP commmands to edit resources represented as YANG modelsrepresented as YANG models

• Configuration data in JSON/XMLConfiguration data in JSON/XML

• Supported operations defined in YANGSupported operations defined in YANG• Defines method (URL) to get supported YANG module list (corresponds to Defines method (URL) to get supported YANG module list (corresponds to

NetConf capabilities in Hello message)NetConf capabilities in Hello message)

• URL to get individual YANG module contents (corresponds to NetConf get-URL to get individual YANG module contents (corresponds to NetConf get-schema command)schema command)

• Support for W3C server-sent events (corresponds to NetConf Support for W3C server-sent events (corresponds to NetConf notifications)notifications)


Infrastructure Orchestration Infrastructure Orchestration ToolsTools


AnsibleAnsible• Automation language + automation engineAutomation language + automation engine

• Managing applicatioins, OSes, virtialization infrastructure, networkManaging applicatioins, OSes, virtialization infrastructure, network

• Open source, freely availableOpen source, freely available

• Control machine (Linux) + agentless managed devicesControl machine (Linux) + agentless managed devices

• Managed device as to provide SSH server capability + Python Managed device as to provide SSH server capability + Python interpreterinterpreter

• Control machine communicates over SSH, installs Python Control machine communicates over SSH, installs Python scriptsscripts

• Alternatively, local mode can be utilized for managed devices without Alternatively, local mode can be utilized for managed devices without SSH server capabilitySSH server capability

• agent runs on control machine and communicates with managed agent runs on control machine and communicates with managed device by alternative means (e.g. REST API)device by alternative means (e.g. REST API)


Ansible ComponentsAnsible Components• InventoryInventory

• list of managed deviceslist of managed devices

• variables associated to individual devicesesvariables associated to individual deviceses

• device groupsdevice groups

• ModulesModules• Python scripts to implement particular task on some Python scripts to implement particular task on some

platformplatform

• Roughly correspond to device driversRoughly correspond to device drivers

• PlaybooksPlaybooks• Controls what tasks should be done (using modules)Controls what tasks should be done (using modules)


Ansible InventoriesAnsible Inventories

• List of managed devicesList of managed devices

• ini-file format (group names in ini-file format (group names in []):[]):[MYHOSTS][MYHOSTS]

R1.example.comR1.example.com

R2.example.com ansible_port=2222 // overrides value in [MYHOSTS:vars]R2.example.com ansible_port=2222 // overrides value in [MYHOSTS:vars]

MYHOSTS:vars]MYHOSTS:vars]

ansible_port=2222 ansible_port=2222

• Host may belong to multiple groupsHost may belong to multiple groups

• Host variables defined directly in inventory file or separately in per-host files Host variables defined directly in inventory file or separately in per-host files (host_vars/per-host-file)(host_vars/per-host-file)

• e.g. credentails pro jednotlivá managed devicese.g. credentails pro jednotlivá managed devices

• Multiple hosts can be defined using „range“ construct: SQLhost[01:04]Multiple hosts can be defined using „range“ construct: SQLhost[01:04]

• Dynamic inventory: content obtained e.g. from LDAPDynamic inventory: content obtained e.g. from LDAP


Ansible ModulesAnsible Modules• Module is a script to accomplish a particular taskModule is a script to accomplish a particular task

• Written in Python by Ansible definition Written in Python by Ansible definition

• PowerShell can be used to manage Windows devicesPowerShell can be used to manage Windows devices

• technically, any scripting language could be usedtechnically, any scripting language could be used

• Normally runs on Normally runs on managed devicemanaged device

• ssh access to managed device,ssh access to managed device,

• copy of Python script, run, cleanupcopy of Python script, run, cleanup

• Optionally runs in local modeOptionally runs in local mode

• for managed devices without SSH server and/or Python interpreterfor managed devices without SSH server and/or Python interpreter

• Lot of network devicesLot of network devices

• runs on control serverruns on control server

• SSH to managed box using Python/Paramiko SSH implementationSSH to managed box using Python/Paramiko SSH implementation

• Starts local commands on managed device via SSH sessionStarts local commands on managed device via SSH session

• Alternatively uses API calls to managed deviceAlternatively uses API calls to managed device


Ansible PlaybooksAnsible Playbooks

• Controls execution of tasks (utilizing modules)Controls execution of tasks (utilizing modules)

• Consists of one or multiple PlaysConsists of one or multiple Plays

• Each Play defines devices (groups) to perform Each Play defines devices (groups) to perform tasks on and which tasks (modules) to start (plus tasks on and which tasks (modules) to start (plus respective parameters)respective parameters)

• Vendor-agnostic – limited vendor lock inVendor-agnostic – limited vendor lock in

• vendor specific functionality is contained in vendor specific functionality is contained in Ansible modulesAnsible modules

• YAML formatYAML format


Playbook structurePlaybook structure

namename

hosts group to run playbook onhosts group to run playbook on

vars: section - variable definition vars: section - variable definition

tasks: section tasks: section – modules to be run, variables can be utilized here – modules to be run, variables can be utilized here

{{ inventory{{ inventory_hostname }} _hostname }}

- represents currently processed host- represents currently processed host


Ansible VariablesAnsible Variables• Contains parameters of individual managed nodesContains parameters of individual managed nodes

• defined in inventorydefined in inventory

• May also be defined in playbookMay also be defined in playbook

• May be also passed from command lineMay be also passed from command line

• Jinja2 format: {{ myVar }}Jinja2 format: {{ myVar }}• in YAML file in quotesin YAML file in quotes

• Facts = special type of variables with values obtained Facts = special type of variables with values obtained from managed device before a playbook is runfrom managed device before a playbook is run• using “setup” module/script to be run against managed using “setup” module/script to be run against managed

device)device)


Ansible TemplatesAnsible Templates

• Utilizes Jinja2 templating engineUtilizes Jinja2 templating engine

• Renders output text based on template and Renders output text based on template and parameters to be iterated throughparameters to be iterated through

• Template can contain conditional inclusion of Template can contain conditional inclusion of text and iterationstext and iterations

• Contains control tags like Contains control tags like {% if … %}, {% if … %}, {% else {% else %} and {% endif %}%} and {% endif %}


Usage of Templates in Ansible Usage of Templates in Ansible PlaybookPlaybook

tasks:tasks:

name: aDemoTask name: aDemoTask

template: example.jinjatemplate: example.jinja

with items: <parameters to be passed to template>with items: <parameters to be passed to template>


Ansible-vaultAnsible-vault

• Encrypts playbook with a password that has to Encrypts playbook with a password that has to be provided when playbook has to be runbe provided when playbook has to be run

• Useful e.g. not to expose passwords hardcoded Useful e.g. not to expose passwords hardcoded in the playbookin the playbook


YAMLYAMLYet Another Markup LanguageYet Another Markup Language

• Simple text format, easy to understandSimple text format, easy to understand

• YAML file starts with YAML file starts with ---, ends with … ---, ends with …

• Structure defined by identation (like in Structure defined by identation (like in Python)Python)

• Lists & DictionariesLists & Dictionaries

• Online YAML validator: Online YAML validator: http://www.yamllint.comhttp://www.yamllint.com


YAML Syntax ExampleYAML Syntax Example

Fruits: Fruits:

- apple- apple

- orange- orange

- plum- plum

Honza:Honza:

Name: Jan NovakName: Jan Novak

Job: programmerJob: programmer

Skills: goodSkills: good


Running AnsibleRunning Ansible

• ansible <parameters>ansible <parameters>• manual ad-hoc start of command/modulemanual ad-hoc start of command/module

• ansible-playbook -I <inventory-file> ansible-playbook -I <inventory-file> playbook.ymlplaybook.yml

• dry run: no changes actually done, just displays dry run: no changes actually done, just displays actions to be doneactions to be done• parameter -Cparameter -C


ReferencesReferences

https://www.ansible.com/quick-start-videohttps://www.ansible.com/quick-start-video

http://docs.ansible.com/ansible/glossary.htmlhttp://docs.ansible.com/ansible/glossary.html

http://docs.ansible.com/ansiblehttp://docs.ansible.com/ansible

https://www.ansible.com/quick-start-video

http://docs.ansible.com/ansible/glossary.html

„software-oriented“ network...

Documents