Cisco configuration automation
using puppet/chef
Amsterdam DevOps Meetup
© 2010 Cisco and/or its affiliates. All rights reserved.
1

• Automated configuration vs. Manual configuration
• Manual configuration:
Just log in and do it!
Fine for very small number of systems – a very small number
Attempting to scale brings severe risk of carpal tunnel
Checklists can help... a little
Settings you care about buried with everything else
Missing:
Reviewing
Auditing
History
Reliable documentation
Drift correction
© 2012 Cisco and/or its affiliates. All rights reserved.
2

• What do they do?
Configure resources on your systems so you don’t have to!
Systems transition from current state to desired state.
Maintain the configuration state in “code”
Are idempotent
• Problems they solve:
Lots of systems get configured
Facilitate config management ( use git/gerrit) – Bad configuration can be worse than no
configuration
Correct “drift”
Allow staging, rollback
Auditing
Can programmatically create higher level “service” configurations.
© 2012 Cisco and/or its affiliates. All rights reserved.
3

• Ansible, CFEngine, B2Cfg, smartfrog, fabric, numerous others…
• All frameworks work in the same (old) problem domain; Config automation.
• Differences lie in:
Degree of adoption
Business and service model of authors
Domain Specific Language, Programming Language
Platforms supported
Specializations: General IT, Orchestration
Architecture; proxies, push-pull model, scale-out.
Extensibility framework
Deterministic resource ordering
Good dose of religion…
© 2012 Cisco and/or its affiliates. All rights reserved.
4

• Puppet is client (node agent) – server (master)
software framework designed to automate node
configuration and reporting.
• Puppet master stores target high level resource
“manifest” (intent) for nodes. Manifest is compiled
by the master based on “facts” collected from the
node. This is a “catalog” that gets sent to nodes
• Puppet client interprets catalog and selects
methods to arrive at the target configuration of the
resources
© 2012 Cisco and/or its affiliates. All rights reserved.
5

• Chef software framework is comprised of Chef
Server, Chef Client (agent/node), Chef
Workstation.
• Server stores target high level configurations
expressed in Ruby (cookbooks). Recipes in the
cookbook define what is required to configure a
node.
• Cookbooks/recipes combined with attributes
determine a node’s target “node-object”
configuration. Server stores a representation of
each node object
• Chef client build the node object from received
cookbooks, recipes, etc.
Clients run “Ohai” to collect local attributes on each chef
run.
• Workstation is used to author cookbooks and
recipes. Uses “knife” to load these and interact
with the Chef server.
© 2012 Cisco and/or its affiliates. All rights reserved.
6

© 2012 Cisco and/or its affiliates. All rights reserved.
7

CLI
New Paradigm
Network OS
SNMP
HTML
Monitoring
XML
AAA
Interface
CDP
App
Policy
Discovery
Syslog
Netflow
C
Java
Python
Routing
Data Plane
Ruby
Events
Routing Protocols
Span
© 2012 Cisco and/or its affiliates. All rights reserved.
Actions
App
EEM (TCL)
Anything you can think of
Traditional Approach
8

YOUR
Applications
Cross OS Network Programming
Environment to:
Program
• Innovate
API Presentation
• Extend
onePK
• Automate
onePK IPC Channel
• Customize
API Infrastructure
• Enhance
Router/
Switch
© 2012 Cisco and/or its affiliates. All rights reserved.
• Modify
Catalyst
Nexus
ASR
ISR
9

Choose the Hosting Model that Suits Your Platform and Your Application
On An External Server
• Plentiful memory/compute
• Higher latency and delay
• Supported on by all platforms
App
App
Ideal for Device
Agents
• Dedicated memory/compute
• Low latency and delay
• Requires modular hardware blade
On the Router
App
© 2012 Cisco and/or its affiliates. All rights reserved.
Blade
On A Hardware Blade
-No
“End
“Blad
e”
e
“Proc
• Shared memory/compute
• Very low latency and delay
• Requires modular software architecture
de”
ss”
10
10

C, Java, Python (Ruby) Program
onePK API Presentation
onePK API Infrastructure
IOS / XE
(Catalyst, ISR, ASR1K)
© 2012 Cisco and/or its affiliates. All rights reserved.
NXOS
(Nexus Platforms)
IOS XR
(ASR 9K, CRS)
11

Base Service Set
Description
Data Path
Provides packet delivery service to application: Copy, Punt, Inject
Policy
Provides filtering (NBAR, ACL), classification (Class-maps, Policy-maps), actions
(Marking, Policing, Queuing, Copy, Punt) and applying policies to interfaces on network
elements
Routing
Read RIB routes, add/remove routes, receive RIB notifications
Element
Get element properties, CPU/memory statistics, network interfaces, element and
interface events
Discovery
L3 topology and local service discovery
Utility
Syslog events notification, Path tracing capabilities (ingress/egress and interface stats,
next-hop info, etc.)
Developer
Debug capability, CLI extension which allows application to extend/integrate
application’s CLIs with network element
© 2012 Cisco and/or its affiliates. All rights reserved.
Used by onePK Puppet/Chef Agent
12

Linux Container
Management
Agents
• onePK provides manageability abstraction.
Traditional Management
Agents (CLI, syslog,
SNMP, XML)
Manageability
Abstraction
Next Generation
New agents
Management
(Puppet, Chef,..)
Agents (Puppet, …)
onePK PL
Transport/Marshaling
onePK AL
OS Shim
Consistent across cisco OSes
Exposes dynamic device state and
configuration
• Linux Container
Runs distribution on OS kernel
Fitted with cisco onepk libraries
Device
Management
Infrastructure
NXOS
Helps avoid CLI scraping
OS-specific
Management Infrastructure
XOS and Component APIs
Isolates application failures from Network
Element
Flexibility for application developers
Device Components
© 2012 Cisco and/or its affiliates. All rights reserved.
13

Device Agent
Master/
Server
Device Proxy Agent
Master/
Server
Device
Proxy
Agent
Agent
Agent
OnePK
OnePK
SSH,
OnePK
Linux container(s) on NXOS
© 2012 Cisco and/or its affiliates. All rights reserved.
14

Device Agent
Pros:
- Each Agent maps directly to managed
Master
device
- machine’s characteristics (facts) exposed
as own
- Easily extensible. Does not require core
puppet code changes
- Automated agent plugin code download
Agent
Agent
from master
OnePK
OnePK
- Better Scale
- Integration with CLI
Cons:
- Requires LXC container capability on
Linux
device container(s) on NXOS
© 2012 Cisco and/or its affiliates. All rights reserved.
Device Proxy Agent
Pros:
- No specific device requirements
Master
- One agent could proxy for multiple
machines
Cons:
- More complicated agent (device proxy).
Device
Proxy
- Requires extensions in core “device” mode
Agent
code
- Scale and authentication management
SSH,
OnePK
15

© 2012 Cisco and/or its affiliates. All rights reserved.
16

class cisco_onep {
$ciscodev = ”n3k-vlab"
Cisco Device
Cisco Interface
cisco_device {$ciscodev:
#log => debug,
ensure => present,
}
cisco_interface { 'Ethernet1/5':
switchport => access,
access_vlan => 1000,
}
cisco_vlan { 1000:
ensure => present,
vlan_name => ’Green',
state => active,
}
Cisco VLAN
}
© 2012 Cisco and/or its affiliates. All rights reserved.
17

Master
Nexus Switch
1. Request
Container
Puppet
Agent
Classify
2. Reply
onePK
Module
onePK API
Compile
3. Execute
onePK Infra
© 2012 Cisco and/or its affiliates. All rights reserved.
4. Report
Report
18

• Puppet agent is available for EFT
Currently Nexus 3000k and 7000k only
Cisco Plugin Resource Types + Providers
Master plugin and agent container image – not directly customer accessible
• Chef agent coming up
Currently Nexus 3000k and 7000k only
Heavy Weight Resource Provider add-on
Agent Container image – not directly customer accessible
• Initial set of capabilities for each:
Device characteristics
Interface and VLAN configuration
STP configuration
• If you’d like extend the agents – contact your cisco account manager/partner. J
© 2012 Cisco and/or its affiliates. All rights reserved.
19

• Plenty of Configuration Management Automation tools out there
Help with the task of running operations at scale
Puppet and Chef are two of the more popular/mature ones
• Cisco One-PK
Cisco device library set and SDK allowing development of applications for controlling/configuring cisco
devices
Language bindings available in C, Java, Python, (Ruby). (Or SWIG your own ;-) )
• Puppet and Chef agents for Nexus switches built using One-Pk
Helps automate the production resources.
Will be available as a switch container image + server extension package.
© 2012 Cisco and/or its affiliates. All rights reserved.
20

NXOS
Puppet Agent
DHCP Server
SCP Server
Puppet Master
N3k
“bare –metal” N3k
Power-on
DHCP Solicit (POAP options)
DHCP Offer (POAP script, config file name, image
names)
Base OS and
Configuration
(not puppet managed)
SCP copy (config, images)
Base Configuration
activated and
container installed
Puppet device
agent run triggered
OnePK API used for
device facts
collection
Production Resources
configuration(puppet
managed)
Puppet (Facts collection: name, mac-address, current
config, etc)
Puppet (Catalog: target Interface and VLAN, config, etc)
N3k VLANs
configured
© 2012 Cisco and/or its affiliates. All rights reserved.
Puppet Master
determines
catalog
OnePK API used for
device configuration
21

Thank you
© 2012 Cisco and/or its affiliates. All rights reserved.
2010
22

onePK Puppet Agent CLI - Configuration
Command
Description
Example
Onep Application
Application-name
onep applications puppet
Puppet
Version
puppet v0.8
Master
Puppet Master IPv4/FQDN and Port
master bxb-oa-linux2.cisco.com port 8999
VRF
VRF name
vrf management
Cert-name
Certificate name:
Support shared certificate and non-shared
certificate
cert-name n3k-oa-3.cisco.com
Environment
Environment (categorization)
environment bxb_oa_n3k_3
Node-name
Node name
node-name facter
Default-username
Device credentials
default-username lab password lab
Run-interval
Run frequency
run-interval 180
Domain-name
Domain name
domain-name cisco.com
Splay
Pseduo random frequency add
splay splay-limit 60
Activate
Activate daemon mode
activate
Name-server
DNS
name-server 173.37.87.157
© 2012 Cisco and/or its affiliates. All rights reserved.
23

onePK Puppet Agent CLI – Execution & Monitoring
Command
Group
Description
Example
Noop
Execute
Noop execution
execute onep application puppet v0.8 puppet_agent agent-noop
Oneshot
Execute
One time execution
execute onep application puppet v0.8 puppet_agent agent-oneshot
Ssl-all
Clear
Clear all certificates and private keys
clear onep application puppet v0.8 puppet_agent ssl-all
Ssl-cert
Clear
Clear certificate
clear onep application puppet v0.8 puppet_agent ssl-cert
Show Oper Data
Show
Show puppet agent config data
(master (server) name, run interval,
etc.)
show onep application puppet v0.8 puppet_to agent agent oper-data
Show Last Exec
Log
Show
Show log from most recent noop or
oneshot mode run (exec mode run)
show onep application puppet v0.8 puppet_agent agent last-execlog
Show Run History
Show
Show logs from most recent daemon
mode runs
show onep application puppet v0.8 puppet_agent agent run-history
run-number 1
Show Puppet
Config
Show
Shows puppet agent –config print all
show onep application puppet v0.8 puppet_agent config
Show Puppet
Copyright
Show
Show Puppet Agent copyright
show onep application puppet v0.8 puppet_agent copyright
Show Facter
Show
Show all facter variables.
show onep application puppet v0.8 puppet_agent facter
Show Log CLI
Show
Troubleshooting support
show onep application puppet v0.8 puppet_agent agent log cli
© 2012 Cisco and/or its affiliates. All rights reserved.
24

onePK Puppet Agent CLI – Debug
Command
Group
Description
Example
Debug Puppet
Agent Level
Debug
Enable debug level (verbose, etc.)
debug onep application puppet v0.8 puppet_agent agent level 1
Debug Puppet CLI
Debug
CLI Troubleshooting
debug onep application puppet v0.8 puppet_agent cli
Debug Puppet
pmgmt
Debug
Management daemon
troubleshooting
debug onep application puppet v0.8 puppet_agent pmgmt
Debug Puppet Util
Debug
Utility troubleshooting
debug onep application puppet v0.8 puppet_agent util
© 2012 Cisco and/or its affiliates. All rights reserved.
25

© 2012 Cisco and/or its affiliates. All rights reserved.
26