puppet devops wdec

1 © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco configuration automation using puppet/chef Amsterdam DevOps Meetup

© 2012 Cisco and/or its affiliates. All rights reserved. 2

•  Automated configuration vs. Manual configuration • Manual configuration:

Just log in and do it! Fine for very small number of systems – a very small number Attempting to scale brings severe risk of carpal tunnel Checklists can help... a little Settings you care about buried with everything else Missing:

Reviewing Auditing History Reliable documentation Drift correction


•  What do they do? Configure resources on your systems so you don’t have to! Systems transition from current state to desired state. Maintain the configuration state in “code” Are idempotent

•  Problems they solve: Lots of systems get configured Facilitate config management ( use git/gerrit) – Bad configuration can be worse than no configuration Correct “drift” Allow staging, rollback Auditing Can programmatically create higher level “service” configurations.


•  Ansible, CFEngine, B2Cfg, smartfrog, fabric, numerous others…

•  All frameworks work in the same (old) problem domain; Config automation.

•  Differences lie in: Degree of adoption Business and service model of authors Domain Specific Language, Programming Language Platforms supported Specializations: General IT, Orchestration Architecture; proxies, push-pull model, scale-out. Extensibility framework Deterministic resource ordering Good dose of religion…


•  Puppet is client (node agent) – server (master) software framework designed to automate node configuration and reporting.

•  Puppet master stores target high level resource “manifest” (intent) for nodes. Manifest is compiled by the master based on “facts” collected from the node. This is a “catalog” that gets sent to nodes

•  Puppet client interprets catalog and selects methods to arrive at the target configuration of the resources


•  Chef software framework is comprised of Chef Server, Chef Client (agent/node), Chef Workstation.

•  Server stores target high level configurations expressed in Ruby (cookbooks). Recipes in the cookbook define what is required to configure a node.

•  Cookbooks/recipes combined with attributes determine a node’s target “node-object” configuration. Server stores a representation of each node object

•  Chef client build the node object from received cookbooks, recipes, etc.

Clients run “Ohai” to collect local attributes on each chef run.

•  Workstation is used to author cookbooks and recipes. Uses “knife” to load these and interact with the Chef server.


New Paradigm Traditional Approach

App C

Java Python

Ruby

Network OS

Events

App EEM (TCL)

Actions

Routing

Data Plane

Policy

Interface

Monitoring

Discovery

CLI

AAA

SNMP

HTML

XML

Syslog

Span

Netflow

CDP

Routing Protocols

Any

thin

g yo

u ca

n th

ink

of


Router/ Switch

YOUR Applications

onePK

Program

API Presentation

API Infrastructure

Catalyst Nexus ASR ISR

onePK IPC Channel

Cross OS Network Programming Environment to:

•  Innovate

•  Extend

•  Automate

•  Customize

•  Enhance

•  Modify


Choose the Hosting Model that Suits Your Platform and Your Application

10

App

Bla

de

App

App

On An External Server •  Plentiful memory/compute •  Higher latency and delay •  Supported on by all platforms

On A Hardware Blade •  Dedicated memory/compute •  Low latency and delay •  Requires modular hardware blade

On the Router •  Shared memory/compute •  Very low latency and delay •  Requires modular software architecture

“End-Node”

“Blade”

“Process”

Ideal for Device Agents


C, Java, Python (Ruby) Program

onePK API Presentation

onePK API Infrastructure

IOS / XE (Catalyst, ISR, ASR1K)

NXOS (Nexus Platforms)

IOS XR (ASR 9K, CRS)


Base Service Set Description

Data Path Provides packet delivery service to application: Copy, Punt, Inject

Policy Provides filtering (NBAR, ACL), classification (Class-maps, Policy-maps), actions (Marking, Policing, Queuing, Copy, Punt) and applying policies to interfaces on network elements

Routing Read RIB routes, add/remove routes, receive RIB notifications

Element Get element properties, CPU/memory statistics, network interfaces, element and interface events

Discovery L3 topology and local service discovery

Utility Syslog events notification, Path tracing capabilities (ingress/egress and interface stats, next-hop info, etc.)

Developer Debug capability, CLI extension which allows application to extend/integrate application’s CLIs with network element

Used by onePK Puppet/Chef Agent


NX

OS

•  onePK provides manageability abstraction. Helps avoid CLI scraping Consistent across cisco OSes Exposes dynamic device state and configuration

•  Linux Container Runs distribution on OS kernel Fitted with cisco onepk libraries Isolates application failures from Network Element Flexibility for application developers

Device Components

Management Agents

Manageability Abstraction

Device Management Infrastructure

OS-specific Management Infrastructure XOS and Component APIs

Traditional Management Agents (CLI, syslog,

SNMP, XML)

Next Generation Management

Agents (Puppet, ..)

onePK PL

Transport/Marshaling

onePK AL

OS Shim

Linu

x C

onta

iner

New agents (Puppet, Chef, …)


Master/Server

Device Proxy Agent

SSH, OnePK

Device Proxy Agent Device Agent

Master/Server

Agent

OnePK

Linux container(s) on NXOS

Agent

OnePK


Master

Device Proxy Agent

SSH, OnePK

Device Proxy Agent Device Agent

Master

Agent

OnePK

Linux container(s) on NXOS

Agent

OnePK

Pros: -  Each Agent maps directly to managed

device -  machine’s characteristics (facts) exposed

as own -  Easily extensible. Does not require core

puppet code changes -  Automated agent plugin code download

from master -  Better Scale -  Integration with CLI Cons: -  Requires LXC container capability on

device

Pros: -  No specific device requirements -  One agent could proxy for multiple

machines Cons: -  More complicated agent (device proxy). -  Requires extensions in core “device” mode

code -  Scale and authentication management


class cisco_onep { $ciscodev = ”n3k-vlab" cisco_device {$ciscodev: #log => debug, ensure => present, } cisco_interface { 'Ethernet1/5': switchport => access, access_vlan => 1000, } cisco_vlan { 1000: ensure => present, vlan_name => ’Green', state => active, } }

Cisco Device

Cisco Interface

Cisco VLAN


Master Nexus Switch

onePK Module

Classify

Compile

Report

Container

onePK Infra

Puppet Agent

3. Execute

1. Request

4. Report

2. Reply

onePK API


•  Puppet agent is available for EFT Currently Nexus 3000k and 7000k only Cisco Plugin Resource Types + Providers Master plugin and agent container image – not directly customer accessible

•  Chef agent coming up Currently Nexus 3000k and 7000k only Heavy Weight Resource Provider add-on Agent Container image – not directly customer accessible

•  Initial set of capabilities for each: Device characteristics Interface and VLAN configuration STP configuration

•  If you’d like extend the agents – contact your cisco account manager/partner. J


•  Plenty of Configuration Management Automation tools out there Help with the task of running operations at scale Puppet and Chef are two of the more popular/mature ones

•  Cisco One-PK Cisco device library set and SDK allowing development of applications for controlling/configuring cisco devices Language bindings available in C, Java, Python, (Ruby). (Or SWIG your own ;-) )

•  Puppet and Chef agents for Nexus switches built using One-Pk Helps automate the production resources. Will be available as a switch container image + server extension package.


NXOS

“bare –metal” N3k Power-on

DHCP Server SCP Server

DHCP Solicit (POAP options)

Puppet Master Puppet Agent

DHCP Offer (POAP script, config file name, image names)

SCP copy (config, images)

Puppet (Facts collection: name, mac-address, current config, etc)

Base Configuration activated and container installed

Puppet device agent run triggered

Puppet Master determines catalog

Puppet (Catalog: target Interface and VLAN, config, etc)

OnePK API used for device facts

collection

OnePK API used for device configuration N3k VLANs

configured

N3k

Base OS and Configuration (not puppet managed)

Production Resources configuration(puppet managed)


onePK Puppet Agent CLI - Configuration Command Description Example

Onep Application Application-name onep applications puppet

Puppet Version puppet v0.8

Master Puppet Master IPv4/FQDN and Port master bxb-oa-linux2.cisco.com port 8999

VRF VRF name vrf management

Cert-name Certificate name: Support shared certificate and non-shared certificate

cert-name n3k-oa-3.cisco.com

Environment Environment (categorization) environment bxb_oa_n3k_3

Node-name Node name node-name facter

Default-username Device credentials default-username lab password lab

Run-interval Run frequency run-interval 180

Domain-name Domain name domain-name cisco.com

Splay Pseduo random frequency add splay splay-limit 60

Activate Activate daemon mode activate

Name-server DNS name-server 173.37.87.157


onePK Puppet Agent CLI – Execution & Monitoring Command Group Description Example

Noop Execute Noop execution execute onep application puppet v0.8 puppet_agent agent-noop

Oneshot Execute One time execution execute onep application puppet v0.8 puppet_agent agent-oneshot

Ssl-all Clear Clear all certificates and private keys clear onep application puppet v0.8 puppet_agent ssl-all

Ssl-cert Clear Clear certificate clear onep application puppet v0.8 puppet_agent ssl-cert

Show Oper Data Show Show puppet agent config data (master (server) name, run interval, etc.)

show onep application puppet v0.8 puppet_to agent agent oper-data

Show Last Exec Log

Show Show log from most recent noop or oneshot mode run (exec mode run)

show onep application puppet v0.8 puppet_agent agent last-exec-log

Show Run History Show Show logs from most recent daemon mode runs

show onep application puppet v0.8 puppet_agent agent run-history run-number 1

Show Puppet Config

Show Shows puppet agent –config print all show onep application puppet v0.8 puppet_agent config

Show Puppet Copyright

Show Show Puppet Agent copyright show onep application puppet v0.8 puppet_agent copyright

Show Facter Show Show all facter variables. show onep application puppet v0.8 puppet_agent facter

Show Log CLI Show Troubleshooting support show onep application puppet v0.8 puppet_agent agent log cli


onePK Puppet Agent CLI – Debug Command Group Description Example

Debug Puppet Agent Level

Debug Enable debug level (verbose, etc.) debug onep application puppet v0.8 puppet_agent agent level 1

Debug Puppet CLI Debug CLI Troubleshooting debug onep application puppet v0.8 puppet_agent cli

Debug Puppet pmgmt

Debug Management daemon troubleshooting

debug onep application puppet v0.8 puppet_agent pmgmt

Debug Puppet Util Debug Utility troubleshooting debug onep application puppet v0.8 puppet_agent util

puppet devops wdec

Technology