techwisetv workshop: open nx-os and devops with puppet labs

1© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

TECHNOLOGY YOU CAN USE, FROM GEEKS YOU CAN TRUST!

Robb Boyd @robbboyd techwisetv.com

TechWiseTV Workshop -Accelerate Your IT Tasks with Open NX-OS

Shane Corban Product Manager CiscoCarl Caum Technical Marketing PuppetDecember 10th 2015

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Open NX-OS Introduction & Level Set• Open NX-OS Linux Architecture & Capabilities• Open NX-OS Devops Tool Integration• Open NX-OS Programmability Options

Agenda

3


What problem are we trying to solve?

“I can spin up servers in minutes with my Configuration Management Tool workflows, why does it take orders of magnitude more to spin

up and affect change on my Network Elements?”

IT Organizations adopting DevOps processes and tools deploy 30x more frequently with 200x shorter lead times; they have 60x fewer failures and recover 168x faster.


Services

CMT

NetworkApplications

CMT

Compute

CMTApplicationRequirements

Configuration Management Tool (CM Tools)/ Open API’s

Data Center Automation and IT CollaborationToday: Serialized Configuration and Management

SUCCESSFUL DEPLOYMENT

Slow ManualError Prone – Bottle Neck!


POAP

BootStrap and Provisioning

PXE

NX-API CLI

Programmability Tools

Package and Application Management

Native Agent SDK

Extensibility Server Management Tools

Standard Open Interfaces

Ease of Operations Modular Open 3rd Party Apps Programmable Ready for

DevOps

Cisco NX-OS – Programmable – Extensible – Open

NX-API REST


• Open NX-OS Introduction & Level Set• Open NX-OS Linux Architecture &

Capabilities• Open NX-OS Devops Tool Integration• Open NX-OS Programmability Options

Agenda

8


Off the shelf Applications without modifications

Leverage ability to install third party packages in Secure Guestshell or natively in NX-OS kernel• Install all third party applications

(Puppet/Chef, Splunk/Nagios/Ganglia) as RPMs

Daemon managed via standard Linux interfaces

Built-in support for YUM package manager

Patching and upgrade using standardrpm/yum workflows• NX-OS processes(BGP) can be

upgraded/patched via “yum update”

Open NX-OS Linux Based Architecture

C app with standard Linux

constructs

Open Embedded 64

bit Build Environment

RPM Upload

Linux Daemon

Linux Kernel

Raw Socket NetdevsLibpcap

init.d

Monitoring

server

ASIC

Target Switch

Package as RPM

Build Server

Cisco/Local Repository

RPM Local Repository

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID

Kernel (cgroup, LSM)

NX-OS root file system

Native Linux

Processes

Native Linux

ProcessesBash Bash

Native Linux

Processes

Native Linux

Processes

Native Linux

Processes

Guest root file systemPkg-1.rpm Pkg-2.rpm

Pkg-2.rpm Pkg-3.rpm

Ns=globalNs=global Ns=guestshell Ns=guestshell Ns=guestshellNs=global Ns=guestshell

Native Shell, RPM + Containers

• Secure common distribution CentOS7 environment in which customer may install their own custom applications

• Use “guestshell resize” command to restrict CPU/memory/rootfs resources available to Guest Shell

Open NX-OS: Third Party Application IntegrationSecure Guest Shell

Pkg-4.rpm



Agenda

11

12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://opennxos.cisco.com

Built on Flexible and Modular Linux

Shipped Q3CY15

Reduce OPEX and Enable Rapid Application Deployment using DevOps Model

OPEN NXOS

KEY BENEFITS

Reduced maintenance windows, higher availability enabled by non-disruptive RPM-based live patching and process restart

Choice of DevOps automation and monitoring tools, enabling rapid application deployment and enhanced visibility

Integrate natively and securely using common DevOps configuration management tools – Chef/Puppet/Ansible

Enable greater network visibility using industry standard analytics tools – Splunk/Ganglia/Nagios

Flexibility to integrate off-the-shelf and custom applications using the Linux SDK


Automating Device Operational Lifecycle

Day 0Install

Day 1Configure & Operate

Day 2Optimize

Day NUpgrade

GOAL: Get a device/s into an

operational state?

CHALLENGE: “I can bring up a server in

5 minutes, but a switch takes 2 days…”

GOAL: Get the network into an operational state?

CHALLENGE: Automation of configuration for servers and applications is relatively easy how can my network be as easy?

GOAL: Continuously upgrade

features within my network, incrementally and safely?

CHALLENGE: I can dynamically patch Linux

with automated tools; why can’t I do the same with my

network devices?

GOAL: Add dynamic services, optimize behavior and trouble shooting? (Includes information from applications and the network correlated).

CHALLENGE: My compute and application platforms are open and extensible why is my network not?

Ignite & POAP/PXE

Ansible, Puppet and ChefNX-API REST

Ansible Puppet and Chef

and Guestshell

Modular NxOS Patachablity,

ISSU

Puppet/Chef/AnsibleNX-API REST ensure model complianceGuestshell, Splunk/Nagios

14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://github.com/datacenter/ignite

Enabling Day Zero Provisioning with Open Source Tools

PXE/iPXE

Automate day zero provisioning with open source, standards-based tools

Provides GUI for topology and configuration design packaged as an OVA, support for KVM or VMware

Acts as an image and configuration template store for POAP

Use python script extensions for third party application installation and post boot customizations

Operational Choice: Supported across Nexus 3K & 9K, bootstrap NX-OS using existing compute PXE/iPXE servers for switching infrastructure

Shipped Q3CY15

Simplify Operations, Eliminate Provisioning Errors, Reduce Cost with

OPEN NXOS

15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPuppet/Chef Master Server

Native Linux Service/etc/init.d/puppet.d & chef.d

NX-OS

Cisco Puppet/Chef Agent

NX-APICisco Puppet/Chef Module(Incl Utility

GEMs)

Linux Software Repository

Server Yum/RPM install puppet/chef.rpm

• Support for Puppet, Chef and Ansible• Cisco Puppet Agent RPM/software package posted

to Puppet forge and Open Sourced to Github• Install Cisco Puppet Module on Puppet Master• Yum install Puppet Agent rpm on switches• Switch Agent periodically will poll Puppet/Chef

Master for updated catalog/cookbooks and attempt to converge switch to desired state

CM Agent Based Tool Architecture – Chef/Puppet

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID

Type/Provider Roadmap:VXLAN EVPN – Q1CY16

Virtual Port Channel – Q2CY16Segment Routing – Q3CY16

Open NX-OS Puppet/ChefCisco Chef & Puppet Agent Types/Provider Support

Chef/Puppet Agent Types/Providers

cisco_vtp

cisco_tacacs_server

cisco_tacacs_server_hostcisco_snmp_servercisco_snmp_community

cisco_snmp_groupcisco_ospfcisco_ospf_vrf

cisco_vlan

cisco_bgpcisco_bgp_vrf

cisco_interface

cisco_interface_ospf

cisco_interface_vlan

• Agents RPM installed natively on switch, using agent RPM or within isolated guestshell environment

• Supported Agent Types/Providers for Camden

• Cisco Network Element Chef/Puppet module code published on Git and Forge/Supermarket

• Agent is extensible beyond what we support by default by using the utility classes OR:

• Agent is also extensible by embedding CLI using cisco_command_config resource construct

Puppet Enterprise OverviewAutomate for Speed & Reliability

Carl CaumTechnical Marketing Manager at Puppet Labs

Reduce The Timeline

• Deliver value to business faster, more reliably

• Meet compliance & audit requirements

• Adopt & mature DevOps practices & supporting technologies

• Adopt new technology while supporting & sun-setting old

• Too much fire fighting• Scripting & manual

processes aren’t cutting it• Provisioning systems &

apps is manual, costly• Unexpected configuration

changes• Difficult to keep up with

demands from the business

Common Challenges. Critical Initiatives.

Our software automates the provisioning,

configuration & ongoing management

of your network & the applications, services & software running on them.

Automation Best PracticesModel & Enforce Your Desired State

Model desired state Continually enforce Audit & report

Automation Best PracticesAcross The Lifecycle

Provisioning DecommissioningInitial configuration Orchestration

Where To Start

Infrastructure as Code

Version Control

Configuration Management Peer Review

Collaboration IterationFast Feedback Visibility

Continuous Delivery

Automated Testing &

Deployments

How we help:• Apply DevOps practices to networking• Manage the network just like compute• Unify change insight & management for all

infrastructure at all levels of the application stack

A Unified Platform for Your Infrastructure

Network

Compute


• Use Case 1.1: Automatically deploying configuration based on roles

• Use Case 1.2: Understanding change as it occurs on the network

Demo 1 – Automating Open NX-OS with Puppet

25

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• All CM tools enforce model compliance and eliminate configuration drift

• All CM tools provide audit logging of change• All CM tools support concept of no-op runs

Configuration Managements ToolsAgent v/s Agent-less Architecture• Agent based CM are “pull based”

• Agent on managed device connects with master for config information periodically

• Changes made on master are pulled down and executed

• Operations are Idempotent

• Puppet and Chef are agent based

• Agent-less CM are “push based”

• CM scripts are run on the master

• Scripts connect to the managed device and execute the tasks

• No timer, control lies with the master

• Operations are Idempotent

• Ansible is agent-less

Ansible Enterprise Automation

Simple. Agentless. Powerful.

Control. Security. Delegation.

/Uses OpenSSH & NX-API

/No extra code to manage

/Ready for cloud-scale

/Uses YAML for playbooks/No special coding skills needed

/Fast learning curve/Tasks in playbooks executed in order

/App deployment/Orchestration/Configuration management

/Eliminates Config Drift

/Role-Based Access Control

/Delegation of credentials/keys

/Audit trail for automation

/Centralized job runs/ Job scheduling/Automation dashboard

/Push-button job execution

/Portal mode for delegation

/REST API for integration

AnsibleOpen Source

AnsibleTower

Ansible 2.0 Release with Tower in Q1CY16 includes complete support for Nexus platforms


Configuration Management

Continuous Development /Source Control

CI Test Simulation Environment

Continuous Integration/Build

The Platform

DevOps: Tooling Categories

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Open NX-OS Virtual Nexus 9000 • Use with Beaker/KitchenCI for

ongoing application integration testing

• Test more often and catch errors early and often prior to live deployment

• Integrated support for Vmware Fusion, ESX 5.1/5.5 and KVM(QCOW2), VMDK(Virtual Box)

• Available under controlled availability – email [email protected] with CCO ids for access

• Targeting Public Release CY16 of v9K, with ViRL integration

• Feature Parity 7.0(3)I2(2)

v9k Test FabricCI Tools

mailto:[email protected]


• Use Case 2.1: Provisioning new tenant workloads for the network takes an exhorbitant amount of time manually, use Ansible and Open NX-OS to reduce this from days to mins

Demo 2 – Open NX-OS Ansible Demo

33



Agenda

34

35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://opennxos.cisco.com

Customized Automation with NX-API REST

Shipped Q3CY15

Shorten Network Deployment Times, Reduce Human Error, Build Flexible, Responsive Automation Architecture

OPEN NXOS

KEY BENEFITS

Model Based – Provides a scalable, object model based architecture for custom automation tool development

Secure - Access to all network objects is authenticated, encrypted and authorized with AAA (Tacacs+, Radius)

Change Based Notifications - NX-API REST applications can subscribe to events from network objects without redundant polling, providing:

Application performance benefitsApplication processing time reduction

NX-API contains a modeled representation of critical NX-OS features in a tree based hierarchical model

Objects are modified and queried using HTTP REST API calls

System

Router-IDPeersEth1/1

Eth1/2..

ARP Entries

Physical BGP

Object Store• class• dn: distinguished name(url)• statistics• Properties(xml/json)

• object prop1• object prop2

…

MIT

ARP

Publisher

Subscribe

Any Updates – BGP Object

Push Notification – BGP Peer Down!

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialOpen NX-OS

What are we trying to solve with NX-API REST?Limitation with CLI Modeled Automation:Screen Scraping:

• With NX-API REST and the object model you send objects in XML/JSON not CLI’s to the switch, and receive objects back from the switch, removing the need for manipulation of strings in automation tools.

Centralized Database:• Direct access to our centralized database(object store), resulting in automation

tool performance improvements, no more need to go through CLI software layers

Sequencing:• With NX-API REST there is less need to be aware of command sequencing when

configuring something (conf t ; router bgp ; neighbor…)• Want to remove or update something? Re-do potentially have to redo the whole

CLI sequence with a “no” to the last command and re-configuration, so you need to build this intelligence into your automation.


Referencing an Object in NX-API REST: Distinguished Name Globally unique identifier for an object in the database For example:

Adding a peer address to BGP default domain: DN: sys/bgp/inst/dom-default/peer-[192.168.0.2] Viewing a physical ethernet interface’s port capabilities: DN: sys/phys-[eth1/1]/phys/portcap

Object Definition or naming rule will be posted to http://developer.cisco.com

System

BgpEntity BgpInstance BgpDomain BgpPeer

BgpLocalASN

BgpPeerAf

BgpPeerEntry

L1PhysIf

ethpmPhysIf ethpmPortCap

L1Load

L1StormControl

http://developer.cisco.com/


How do I utilize it? • To configure or update something: push an new object

to the switch via the HTTP POST REST API call • To check status of something: read the relevant object

using HTTP GET REST API call• To monitor something:

• Subscribe to an object for events related to that particular object• The switch will send you a push notification when this object

changes


• Use Case 3.1:Automation the provisioning of a BGP based programmable fabric utilizing our NX-API REST object model. Reduce time to fabric deployment from days to mins.

Demo 3 – Open NX-OS NX-API REST Demo

39


Open-NXOS Reference LinksSoftware Link

Chef Agent (Supermarket)Chef Cookbook

http://supermarket.chef.iohttps://github.com/cisco/cisco-network-chef-cookbook

NX-API REST Model https://opennxos.cisco.com/public/api/nxapi-rest/

Puppet Agent (Puppetforge)Puppet Module

http://forge.puppetlabs.comhttps://github.com/cisco/cisco-network-puppet-module

Native 3rd Party Agent Repository(Cisco Repository)

http://developer.cisco.com/opennxos

Nexus 3/9K GiT Repository (Scripting Examples, etc)

http://github.com/datacenter/nexus9000

Ignite Open Source ToolkitNX Toolkit

https://github.com/datacenter/ignitehttps://github.com/datacenter/nxtoolkit

SDK for developing native application RPMs

www.yocto.org

Question/Thoughts?THANK YOU

Thank You for Attending

For TechWiseTV episodes, TechWiseTV Workshops, Fundamentals and Networking 101’s visit http://www.Cisco.com/go/TechWiseTV.com.

https://www.facebook.com/techwise

https://twitter.com/techwisetv

techwisetv workshop: open nx-os and devops with puppet labs

Technology