puppet devops wdec
DESCRIPTION
Puppet and Chef overview for network device configurationTRANSCRIPT
1 © 2010 Cisco and/or its affiliates. All rights reserved.
Cisco configuration automation using puppet/chef Amsterdam DevOps Meetup
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• Automated configuration vs. Manual configuration • Manual configuration:
Just log in and do it! Fine for very small number of systems – a very small number Attempting to scale brings severe risk of carpal tunnel Checklists can help... a little Settings you care about buried with everything else Missing:
Reviewing Auditing History Reliable documentation Drift correction
© 2012 Cisco and/or its affiliates. All rights reserved. 3
• What do they do? Configure resources on your systems so you don’t have to! Systems transition from current state to desired state. Maintain the configuration state in “code” Are idempotent
• Problems they solve: Lots of systems get configured Facilitate config management ( use git/gerrit) – Bad configuration can be worse than no configuration Correct “drift” Allow staging, rollback Auditing Can programmatically create higher level “service” configurations.
© 2012 Cisco and/or its affiliates. All rights reserved. 4
• Ansible, CFEngine, B2Cfg, smartfrog, fabric, numerous others…
• All frameworks work in the same (old) problem domain; Config automation.
• Differences lie in: Degree of adoption Business and service model of authors Domain Specific Language, Programming Language Platforms supported Specializations: General IT, Orchestration Architecture; proxies, push-pull model, scale-out. Extensibility framework Deterministic resource ordering Good dose of religion…
© 2012 Cisco and/or its affiliates. All rights reserved. 5
• Puppet is client (node agent) – server (master) software framework designed to automate node configuration and reporting.
• Puppet master stores target high level resource “manifest” (intent) for nodes. Manifest is compiled by the master based on “facts” collected from the node. This is a “catalog” that gets sent to nodes
• Puppet client interprets catalog and selects methods to arrive at the target configuration of the resources
© 2012 Cisco and/or its affiliates. All rights reserved. 6
• Chef software framework is comprised of Chef Server, Chef Client (agent/node), Chef Workstation.
• Server stores target high level configurations expressed in Ruby (cookbooks). Recipes in the cookbook define what is required to configure a node.
• Cookbooks/recipes combined with attributes determine a node’s target “node-object” configuration. Server stores a representation of each node object
• Chef client build the node object from received cookbooks, recipes, etc.
Clients run “Ohai” to collect local attributes on each chef run.
• Workstation is used to author cookbooks and recipes. Uses “knife” to load these and interact with the Chef server.
© 2012 Cisco and/or its affiliates. All rights reserved. 7
© 2012 Cisco and/or its affiliates. All rights reserved. 8
New Paradigm Traditional Approach
App C
Java Python
Ruby
Network OS
Events
App EEM (TCL)
Actions
Routing
Data Plane
Policy
Interface
Monitoring
Discovery
CLI
AAA
SNMP
HTML
XML
Syslog
Span
Netflow
CDP
Routing Protocols
Any
thin
g yo
u ca
n th
ink
of
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Router/ Switch
YOUR Applications
onePK
Program
API Presentation
API Infrastructure
Catalyst Nexus ASR ISR
onePK IPC Channel
Cross OS Network Programming Environment to:
• Innovate
• Extend
• Automate
• Customize
• Enhance
• Modify
© 2012 Cisco and/or its affiliates. All rights reserved. 10
Choose the Hosting Model that Suits Your Platform and Your Application
10
App
Bla
de
App
App
On An External Server • Plentiful memory/compute • Higher latency and delay • Supported on by all platforms
On A Hardware Blade • Dedicated memory/compute • Low latency and delay • Requires modular hardware blade
On the Router • Shared memory/compute • Very low latency and delay • Requires modular software architecture
“End-Node”
“Blade”
“Process”
Ideal for Device Agents
© 2012 Cisco and/or its affiliates. All rights reserved. 11
C, Java, Python (Ruby) Program
onePK API Presentation
onePK API Infrastructure
IOS / XE (Catalyst, ISR, ASR1K)
NXOS (Nexus Platforms)
IOS XR (ASR 9K, CRS)
© 2012 Cisco and/or its affiliates. All rights reserved. 12
Base Service Set Description
Data Path Provides packet delivery service to application: Copy, Punt, Inject
Policy Provides filtering (NBAR, ACL), classification (Class-maps, Policy-maps), actions (Marking, Policing, Queuing, Copy, Punt) and applying policies to interfaces on network elements
Routing Read RIB routes, add/remove routes, receive RIB notifications
Element Get element properties, CPU/memory statistics, network interfaces, element and interface events
Discovery L3 topology and local service discovery
Utility Syslog events notification, Path tracing capabilities (ingress/egress and interface stats, next-hop info, etc.)
Developer Debug capability, CLI extension which allows application to extend/integrate application’s CLIs with network element
Used by onePK Puppet/Chef Agent
© 2012 Cisco and/or its affiliates. All rights reserved. 13
NX
OS
• onePK provides manageability abstraction. Helps avoid CLI scraping Consistent across cisco OSes Exposes dynamic device state and configuration
• Linux Container Runs distribution on OS kernel Fitted with cisco onepk libraries Isolates application failures from Network Element Flexibility for application developers
Device Components
Management Agents
Manageability Abstraction
Device Management Infrastructure
OS-specific Management Infrastructure XOS and Component APIs
Traditional Management Agents (CLI, syslog,
SNMP, XML)
Next Generation Management
Agents (Puppet, ..)
onePK PL
Transport/Marshaling
onePK AL
OS Shim
Linu
x C
onta
iner
New agents (Puppet, Chef, …)
© 2012 Cisco and/or its affiliates. All rights reserved. 14
Master/Server
Device Proxy Agent
SSH, OnePK
Device Proxy Agent Device Agent
Master/Server
Agent
OnePK
Linux container(s) on NXOS
Agent
OnePK
© 2012 Cisco and/or its affiliates. All rights reserved. 15
Master
Device Proxy Agent
SSH, OnePK
Device Proxy Agent Device Agent
Master
Agent
OnePK
Linux container(s) on NXOS
Agent
OnePK
Pros: - Each Agent maps directly to managed
device - machine’s characteristics (facts) exposed
as own - Easily extensible. Does not require core
puppet code changes - Automated agent plugin code download
from master - Better Scale - Integration with CLI Cons: - Requires LXC container capability on
device
Pros: - No specific device requirements - One agent could proxy for multiple
machines Cons: - More complicated agent (device proxy). - Requires extensions in core “device” mode
code - Scale and authentication management
© 2012 Cisco and/or its affiliates. All rights reserved. 16
© 2012 Cisco and/or its affiliates. All rights reserved. 17
class cisco_onep { $ciscodev = ”n3k-vlab" cisco_device {$ciscodev: #log => debug, ensure => present, } cisco_interface { 'Ethernet1/5': switchport => access, access_vlan => 1000, } cisco_vlan { 1000: ensure => present, vlan_name => ’Green', state => active, } }
Cisco Device
Cisco Interface
Cisco VLAN
© 2012 Cisco and/or its affiliates. All rights reserved. 18
Master Nexus Switch
onePK Module
Classify
Compile
Report
Container
onePK Infra
Puppet Agent
3. Execute
1. Request
4. Report
2. Reply
onePK API
© 2012 Cisco and/or its affiliates. All rights reserved. 19
• Puppet agent is available for EFT Currently Nexus 3000k and 7000k only Cisco Plugin Resource Types + Providers Master plugin and agent container image – not directly customer accessible
• Chef agent coming up Currently Nexus 3000k and 7000k only Heavy Weight Resource Provider add-on Agent Container image – not directly customer accessible
• Initial set of capabilities for each: Device characteristics Interface and VLAN configuration STP configuration
• If you’d like extend the agents – contact your cisco account manager/partner. J
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• Plenty of Configuration Management Automation tools out there Help with the task of running operations at scale Puppet and Chef are two of the more popular/mature ones
• Cisco One-PK Cisco device library set and SDK allowing development of applications for controlling/configuring cisco devices Language bindings available in C, Java, Python, (Ruby). (Or SWIG your own ;-) )
• Puppet and Chef agents for Nexus switches built using One-Pk Helps automate the production resources. Will be available as a switch container image + server extension package.
© 2012 Cisco and/or its affiliates. All rights reserved. 21
NXOS
“bare –metal” N3k Power-on
DHCP Server SCP Server
DHCP Solicit (POAP options)
Puppet Master Puppet Agent
DHCP Offer (POAP script, config file name, image names)
SCP copy (config, images)
Puppet (Facts collection: name, mac-address, current config, etc)
Base Configuration activated and container installed
Puppet device agent run triggered
Puppet Master determines catalog
Puppet (Catalog: target Interface and VLAN, config, etc)
OnePK API used for device facts
collection
OnePK API used for device configuration N3k VLANs
configured
N3k
Base OS and Configuration (not puppet managed)
Production Resources configuration(puppet managed)
© 2012 Cisco and/or its affiliates. All rights reserved. 22 22 22 © 2010 Cisco and/or its affiliates. All rights reserved.
Thank you
© 2012 Cisco and/or its affiliates. All rights reserved. 23
onePK Puppet Agent CLI - Configuration Command Description Example
Onep Application Application-name onep applications puppet
Puppet Version puppet v0.8
Master Puppet Master IPv4/FQDN and Port master bxb-oa-linux2.cisco.com port 8999
VRF VRF name vrf management
Cert-name Certificate name: Support shared certificate and non-shared certificate
cert-name n3k-oa-3.cisco.com
Environment Environment (categorization) environment bxb_oa_n3k_3
Node-name Node name node-name facter
Default-username Device credentials default-username lab password lab
Run-interval Run frequency run-interval 180
Domain-name Domain name domain-name cisco.com
Splay Pseduo random frequency add splay splay-limit 60
Activate Activate daemon mode activate
Name-server DNS name-server 173.37.87.157
© 2012 Cisco and/or its affiliates. All rights reserved. 24
onePK Puppet Agent CLI – Execution & Monitoring Command Group Description Example
Noop Execute Noop execution execute onep application puppet v0.8 puppet_agent agent-noop
Oneshot Execute One time execution execute onep application puppet v0.8 puppet_agent agent-oneshot
Ssl-all Clear Clear all certificates and private keys clear onep application puppet v0.8 puppet_agent ssl-all
Ssl-cert Clear Clear certificate clear onep application puppet v0.8 puppet_agent ssl-cert
Show Oper Data Show Show puppet agent config data (master (server) name, run interval, etc.)
show onep application puppet v0.8 puppet_to agent agent oper-data
Show Last Exec Log
Show Show log from most recent noop or oneshot mode run (exec mode run)
show onep application puppet v0.8 puppet_agent agent last-exec-log
Show Run History Show Show logs from most recent daemon mode runs
show onep application puppet v0.8 puppet_agent agent run-history run-number 1
Show Puppet Config
Show Shows puppet agent –config print all show onep application puppet v0.8 puppet_agent config
Show Puppet Copyright
Show Show Puppet Agent copyright show onep application puppet v0.8 puppet_agent copyright
Show Facter Show Show all facter variables. show onep application puppet v0.8 puppet_agent facter
Show Log CLI Show Troubleshooting support show onep application puppet v0.8 puppet_agent agent log cli
© 2012 Cisco and/or its affiliates. All rights reserved. 25
onePK Puppet Agent CLI – Debug Command Group Description Example
Debug Puppet Agent Level
Debug Enable debug level (verbose, etc.) debug onep application puppet v0.8 puppet_agent agent level 1
Debug Puppet CLI Debug CLI Troubleshooting debug onep application puppet v0.8 puppet_agent cli
Debug Puppet pmgmt
Debug Management daemon troubleshooting
debug onep application puppet v0.8 puppet_agent pmgmt
Debug Puppet Util Debug Utility troubleshooting debug onep application puppet v0.8 puppet_agent util
© 2012 Cisco and/or its affiliates. All rights reserved. 26