Post on 13-Jan-2017
Copyright © 2015 World Wide Technology, Inc. All rights reserved.
RTP NPUGAnsible Intro and Integration with ACI10 August 2015
Joel W. KingTechnical Solutions ArchitectEnterprise Networking SolutionsEngineering and Innovations
Agenda• Whoami, how I got started using Ansible• Introduction to Ansible
• Demo – Power on VMs• Demo – Power on VMs, copy file to Linux hosts
• Application Centric Infrastructure (ACI) Integration• Why we need automation for Software-Defined Networking (SDN)• Ansible Modules for ACI• Demo- Find the MAC address• Demo- Apply ACI policy, run Docker application• ACI workflow using Ansible, developing configuration libraries
• APIC-EM Integration (time permitting)• Discussion – Q and A
whoami• At World Wide Technology, Inc. – Enterprise SDN, NetDevOps, Programmable Networks• Past Experience
• NetApp – Technical Solutions Architect, Digital Video Surveillance – Big Data – E-Series• Cisco – Technical Leader - Enterprise Systems Engineering (ESE) – Cisco Validated Designs (CVDs)• Network Architect – AMP Incorporated – LAN / WAN design for 150 location global network
• Flash cutover of AMP’s network from OSPF to EIGRP using Perl and Telnet ~ 1996• CCIE No. 1846 (retired)
• Participated on Networking Panel at AnsibleFest NYC 2015
joel.king@wwt.com
@joel_w_king
www.slideshare.net/joelwking
github.com/joelwking/
How I got started with Ansible…• Cisco Nexus switches have a variety of network programmability features.• We had use cases with everything but Orchestration and NX-API.• I thought installing an agent might be a pain point!
Power On
Auto Provisio
ning(POAP)
Nexus 9K
NX-APIRPC / REST API
Python InterpreterBash shellIntroduction
to Python Programming
on Nexus Switches
Nexus Data Brokerw/ REST API
NXOS ACI
Orchestration APIC
REST API
OpenFlow
Security-Defined Routing
… after a little research• Downloaded The Benefits of Agentless Architecture• Installed Ansible on Ubuntu in Virtual Box
git clone git://github.com/ansible/ansible.git --recursive
• Found in the FAQs: ansible_connection=local• Enabled NX-API
NEX-9396-A-TRNG-CLASS(config)# feature nxapiNEX-9396-A-TRNG-CLASS(config)# endNEX-9396-A-TRNG-CLASS# copy run start[###########################] 100%Copy complete.
• Wrote an Ansible module for NX-API !
NX-API Developer Sandbox
Introduction to Ansible
• Ansible uses SSH instead of agents.
• Python modules run locally or on target systems
SIMPLE AGENTLESS POWERFUL
• Deploy applications
• Configuration management
• Network provisioning
• Playbooks are both human and machine readable.
• Large library of modules.
Pushed Based• Chef and Puppet are “pull-based”
• The agent on the server periodically checks with the central server for configuration information. (Chef agent by default checks with Chef server every 30 minutes)
• Chef uses a “convergent” model of configuration. As changes propagate through the nodes, the network as a whole converges to the desired configuration state.
• Ansible is “push-based” • You run the playbook, • Ansible modules connect to the target servers and executes the modules
• Push based approach - you control when the changes are made on the server!• No need to wait for a timer to fire.
Source: Ansible Up & Running & www.chef.io/solutions/configuration-management/
Lexicon• Inventory A file grouping host names and (optionally) variables.• Playbooks A design plan of tasks to act on one or more hosts.• YAML Markup language, more human readable than XML / JSON.• Facts Variables describing the target system.• Tasks An activity to be carried out, e.g. install package, configure interface.• Modules Python code to implement tasks.• Idempotent Producing the same results if executed once or multiple times.• Jinja2 Templating language converting templates to configuration
files
Ansible and the Cisco Network
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443:22
HTTP(s) TCP/80:443SSH – TCP/22
GitHubHTTPS TCP/443
LDAP – TCP / 389
ESXServer
WindowsSystems
LinuxDockerAmazon
Web Services
Agentless
Ansible / Tower
REST API
connection: local
feature nx-api
Nexus 3000 | 9000CentOS
Nexus 9000ACI
github.com/joelwking/
PARAMIKO
APIC-EMCisco IOS
• Provides “tool based” abstraction• Low barrier to entry • User written modules• Common framework to manage
controllers and individual devices
$ pythonPython 2.7.6 (default, Jun 22 2015, 17:58:13)>>> import yaml>>> playbook = yaml.load(open("add_local_user.yml", "r"))>>> print playbook[0]["tasks"][0]["name"]Add local user
What is YAML?• YAML ( rhymes with camel) is a data
serialization format.• Designed to be human and machine
readable.• Ansible playbooks are YAML format• Syntax is designed to be mapped to
data types in programming languages:lists, associative array (Python dictionaries), and scalar variables.
Use Case: Power On• ESXi hosts on ACI Demo
Fabric were power cycled.• VMs for ACI Tenant were in
power-down state following reboot.
• Run playbook to power-up my demo VMs, rather than use vSphere Client
$ cat power_up_vms.yml---- hosts: 127.0.0.1 connection: local user: administrator sudo: false gather_facts: false
vars: vmware_guest_facts: yes joelking: - X-DOCKER-CLIENT - X-DOCKER-SERVER-1 - X-DOCKER-SERVER-2 - X-A10-vThunder
tasks:
- name: Power UP vsphere_guest: vcenter_hostname: 10.255.40.128 username: administrator@vsphere.local password: **foo** guest: "{{item}}" state: powered_on esxi: datacenter: "ACI Demo DC" hostname: 10.255.138.168
with_items: joelking
Demo: Power On virtual machines
Use Case: Copy File to VMs • Modify playbook to list VM names
and Ubuntu hosts in Inventory file• Items under group
[virtual_machines[] are VM namesnot DNS names
• Items under group[Ubuntu]
• X-A10-vThunder is a virtual appliance, not a Ubuntu host
• When running a play, the valuesare referenced by variable{{inventory_hostname}}
$ cat hosts#[aci]aci-demo.sandbox.wwtatc.local ansible_connection=local ansible_ssh_user=kingjoe admin_uid=netdeploy##[server]scp-server.sandbox.wwtatc.local ansible_ssh_user=administrator#[virtual_machines]X-DOCKER-CLIENTX-DOCKER-SERVER-1X-DOCKER-SERVER-2X-A10-vThunder
[Ubuntu]X-DOCKER-CLIENT.sandbox.wwtatc.localX-DOCKER-SERVER-1.sandbox.wwtatc.localX-DOCKER-SERVER-2.sandbox.wwtatc.local
Use Case: Copy File to VMs (continued)$ cat power_up_vms.yml---- hosts: virtual_machines connection: local user: kingjoe sudo: false gather_facts: false
vars: vmware_guest_facts: yes
vars_prompt: - name: "vCenter_password" prompt: "Enter vCenter password" private: yes
tasks: - name: Power UP my VMs vsphere_guest: vcenter_hostname: 10.255.40.128 username: administrator@vsphere.local password: "{{vCenter_password}}" guest: "{{inventory_hostname}}" state: powered_on esxi: datacenter: "ACI Demo DC" hostname: 10.255.138.168
- hosts: Ubuntu user: administrator
vars: MY_directory: "/tmp/ansible"
tasks: - name: Create directory file: dest={{MY_directory}} state=directory mode=0755 - name: Download a file to the directory get_url: url=http://docs.ansible.com/ansible/modules.html dest={{MY_directory}} mode=0666 validate_certs=no
$ ansible-playbook -i hosts power_up_vms.yml --ask-pass
Note: this is an example of running modules locally and on remote systems from the same playbook
continued
Demo: Modify Power On virtual machinesplaybook to use inventory file,Copy file to Linux hosts
Ansible Tower
Ansible Enterprise Automation
Simple. Agentless. Powerful.
Control. Security. Delegation.
/ Uses OpenSSH/ No extra code to manage/ Ready for cloud-scale
/ Uses YAML for playbooks/ No special coding skills needed/ Fast learning curve
/ App deployment/ Orchestration/ Configuration management
/ Role-Based Access Control/ Delegation of credentials/keys
/ Audit trail for automation
/ Centralized job runs/ Job scheduling/ Automation dashboard
/ Push-button job execution/ Portal mode for delegation/ REST API for integration
AnsibleOpen Source
AnsibleTower
PUSH-BUTTON LAUNCHLaunch automation jobs with a button
ACCESS CONTROLRole-based access control & LDAP integration DELEGATION OF
CREDENTIALSDelegate credentials without giving away secrets
SCHEDULINGSchedule automation jobs (great for periodic remediation)
INVENTORY MANAGEMENTGraphically manage your internal & cloud resources
API & CLIDocumented RESTful API and Tower CLI to integrate Tower into your tools
AUDITINGSee a full Ansible job history with drill-in details
ANSIBLE TOWERThe best way to run Ansible in your organization.
Ansible Up & Running
Network automation going mainstream#netdevops
Application Centric Infrastructure (ACI)
Cisco Nexus Data Center Switching• If you are looking to Cisco for a Data Center switch, it will be a Nexus 9000.• Nexus 9000 runs in either of two modes:
• NX-OS • Application Centric Infrastructure – ACI
• Networks need Automation & Programmability.• NX-API enables a northbound REST interface on individual NX-OS switches
• Nexus 3000 NX-API supported NX-OS 6.0(2)U4(1).• NX-OS release 7.x enables NX-API on Cisco Nexus 5000 and 6000
• APIC is the Software Defined Networking controller for ACI• Ansible | Tower can be your automation engine.
Why do I need automation with ACI?• Using the ACI GUI is time consuming and prone to human error.• WWT Integration Technology Center
(ITC) is the hub of our global deployments and supply chain programs.
• Customers use the ITC to stage their data center infrastructure prior to deployment.
Cisco Application-Centric Infrastructure (ACI)• A data center fabric with three components:
• Nexus 9000 Series Switches and the Cisco Application Virtual Switch (AVS)• SDN architecture based on a policy framework for configuration, management, security • Cisco Application Policy Infrastructure Controllers (APIC)
• Nexus switches in the fabric are plug-n-play.• All functions of the controller
are exposed via REST APIs.• The Web GUI designed for
initial configuration, atool for automation. Cisco APIC Python SDK
(“cobra”)
CLI admin@apic1:aci>
Ansible and Nexus Switches• Nexus 9K switches run either ACI
mode or NX-OS mode.• Enhancements to NX-OS including
feature nx-api in Nexus 3K, 7K, 5K, etc.
• NX-API provide HTTP based APIs for configuration management – XML or JSON
• Application Policy Infrastructure Controller – APIC is an SDNcontroller managing Nexus 9K in ACI mode.
• Servers, applications, and network can be managed in a single playbook.
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443
HTTP(s) TCP/80:443SSH – TCP/22
GitHubHTTPS TCP/443
LDAP – TCP / 389
ESXServer
WindowsSystems
LinuxDocker
Agentless
Ansible / Tower
REST API
connection: local
feature nx-api
Nexus 3000 | 9000CentOS
Nexus 9000
Ansible ACI Modules• aci_gather_facts.py
• Gather Facts using Class or Managed Object Queries
• https://youtu.be/Ec_ArXjgryo• aci_install_config.py
• Configures the fabric via ACI controller (APIC) northbound REST API interface.
• https://youtu.be/PGBYIxEsqU8• This module issues POST of XML,
the APIC will create or update object as required.• Deletions implemented by including status="deleted“ in the XML
APIC
Gathering Facts: Types of Queries• Managed Objects (MO) are abstract representations of physical / logical entity. • Contain a set of configurations and properties.• Organized in a tree structure called the Management Information Tree.
get /api/mo/uni/tn-ACME.jsonget /api/class/fvTenant.json
tn-mgmt tn-ACMEtn-infra tn-mgmt tn-ACMEtn-infra
Object-level queryClass-level query
Managed Object Query• Managed Object Queries and Class Queries are handled by the same module,
aci_gather_facts.py• The difference is the URI specified as argument to the module,• In either case, the answer set is a list of objects, typically the Class Query will have
more than one element in the list.• If the REST call is successful, but the results are null, the list is empty.• Example playbook for Managed Object query:
https://github.com/joelwking/ansible-aci/blob/master/aci_mo_example.yml
Class Query: Find MAC address given IPfvCEp A client endpoint attaching to the network../bin/ansible-playbook find_macaddress.yml---# https://github.com/joelwking/ansible-aci/blob/master/find-macaddress.yml- name: Ansible ACI Demo of gathering facts using a class query hosts: prod-01 connection: local gather_facts: no vars: IPaddr: 198.51.100.4
tasks: - name: Find the MAC address given an IP address aci_gather_facts: queryfilter: 'eq(fvCEp.ip, "{{IPaddr}}")' URI: /api/class/fvCEp.json host: "{{hostname}}" username: admin password: "{{password}}"
- name: use msg format debug: msg=" ManagementIP {{ fvCEp[0].ip }} mac {{ fvCEp[0].mac }} encap {{ fvCEp[0].encap }} "
TASK: [use msg format] *****************************************ok: [prod-01] => { "msg": " ManagementIP 198.51.100.4 mac 00:50:56:B6:1C:CC encap vlan-2142 "}
Filter results based on ip address specifiedCan anyone tell me the flaw in this logic?
Importing Playbook into Tower• Logon Tower• Create directory /var/lib/awx/projects/find-macaddress• Copy the contents of the playbook
into a file in the directory, e.g. find-macaddress.yml
• I commented out the variable, IPaddr, Tower will prompt.
• Create a project,• Create a job template,• Run job template.
Install ACI Configuration• Ansible module aci_install_config.py• Configures the fabric via
ACI controller (APIC) northbound REST API interface.
• Reads the XML file specified as an argument• Authenticates with the APIC• Issues HTTP Post with the URL specified.• Key Point
• Gather Facts provided the MAC and ‘dn’ basedon a Tenant and IP address
• Now we can programmatically build a troubleshooting policy and load into tenant.
• By automating the creation of monitoringand troubleshooting policies, we save time.
• Tower initiates Python modulesto apply policy to tenant in ACIfabric.
• Tower initiates Python applicationinstalled in Docker containeron client machine.
Ansible Tower – Apply ACI policy and run Docker app
x-docker-client
x-docker-server-1
.10
.1
.1
.10
192.0.2.0 / 24TEST-NET-1
198.51.100.0 / 24TEST-NET-2
Bridge DomainTEST-NET-2
Bridge DomainTEST-NET-1
management network policy
app
Demo: Apply ACI policy, run Docker apphttps://youtu.be/t03ty5Y295U?t=1m49s
Developing Configuration Libraries
Using Playbooks to Organize your Workflow• While developing ACI configurations, I found myself
using Ansible Playbooks to organize my work.
• The total configuration is broken into distinct, verified steps.
• The configuration snippits can be shared among engineers as ACI ‘best practice’ configs.
• Repository on WWT’s GitHub Enterprise serveratc-ops / aci-config-templates
Configure via the GUI
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Verify and Test the configuration
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Save the config snippet as XML
<fvTenant><traceroutepTrEp adminSt="start" descr="traceroute policy for client to server 10" dn="uni/tn-A10_DEMO/trEp-CLIENT_SERVER10" name="CLIENT_SERVER10" ownerKey="" ownerTag="" payloadSz="56"><traceroutepRsTrEpSrc tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-CLIENT/cep-00:50:56:9A:79:5C"/><traceroutepRsTrEpDst tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-SERVER/cep-00:50:56:9A:6A:03"/></traceroutepTrEp></fvTenant>
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Incorporate into Playbook---- name: Deploy Tenant for A10 ADC hosts: prod-01 connection: local gather_facts: no vars: local_path: /home/administrator/ansible/CFGS fvTenant: A10_DEMO L4L7: vnsLDevVip_A10.xml
tasks: - name: Loop through the variables to deploy the tenant aci_install_config: xml_file: "{{ local_path }}/{{ item }}" URI: "/api/mo/uni/tn-{{fvTenant}}.xml" host: "{{hostname}}" username: admin password: "{{password}}"
with_items: - fvTenant_A10_DEMO.xml # Create Tenant - vzFilter_A10_TCP_SMALL_SERVERS.xml # Create Filter - vzBrCP_A10_CONTRACT_SUBJ.xml # Create Contract and Subject - fvCtx_A10_DEMO.xml # Create Pritx_A10_DEMO.xml - fvBD_A10_BRIDGE_DOMAIN.xml # Create Bridge Domains - fvAP_A10_APP.xml # Create Application EPGs - traceroutepTrEp_A10_clientserver.xml # Create traceroute policy - "{{ L4L7 }}" # Create L4-L7 Services
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Automate
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Configuration Libraries• ACI needs a library of ‘best practice’ configurations.• Network engineers create configurations using
the APIC GUI. • Configurations are tested, verified and then saved
in XML.• The configuration snippets are organized into a
playbook.• Only the with_items loop needs be changed in the
playbook.• XML files can be converted into templates.• Playbooks, XML and Templates stored in Git Repo.
Key Take-away• Networks are evolving from individual devices to the SDN paradigm
of a single fabric under a central controller. • Cisco ACI is an SDN implementation which abstracts the network devices,
the fabric is plug-n-play, provides central management and visibility.• The GUI on top of an SDN controller isn't sufficient and we will still need automation
• Eliminate the hands in operations - • No keyboard errors, • No incomplete configurations,• Build libraries of ‘best practice’ configurations.
• Network Engineers can use Ansible to automate Nexus switches to more closely align with DevOps.
APIC - EM
SynergyAnsible• Ansible is an open source automation
tool.• Designed to be easy for anyone to
understand and learn. • Written module to apply
configuration changes to Cisco IOS devices
• Requires an inventory file to identify target routers and switches to apply a baseline configuration.
Cisco APIC-EM• APIC-EM is a SDN controller for
legacy LAN/WAN devices.• Single source of truth.• Provides inventory to Ansible by
discovery of Cisco IOS devices in the network.
WWT• Python module to integrate the
two applications.
Understanding the Network• You can’t automate what you don’t understand!• Discovery based on
• CDP• IP address ranges
• Imitated either via GUIor REST API
• Discovered Devices
“you used the northbound API, put two disparate pieces of technology together and made them work better than they can individually.”
Phil Casini, Director Product Management for Cisco’s LAN/WAN SDN controller APIC EM.
Advanced Technology Center (ATC)
Using APIC-EM as the single source of truth.
PlaybookTasks1. apic_em_gather_facts
Query the APIC-EM controllerfor a list of discovered devices.
2. cisco_ios_install_configUpdates running config ofdiscovered devices.
---- name: Integration of APIC-EM with Ansible hosts: 127.0.0.1 connection: local gather_facts: no
vars: ansible_ssh_user: administrator enablepw: xxxxx password: xxxxx
tasks: - name: Use APIC-EM controller to return a list of discovered devices apic_em_gather_facts: host: 10.255.40.125 username: bob password: xxxxxx
- name: Install the configuration file cisco_ios_install_config: URI: ftp://ftpuser:xxxxx@10.255.40.101/sdn/lab_config_files/ios_config.cfg host: "{{ item }}" username: admin enablepw: "{{ enablepw }}" password: "{{ password }}" debug: off with_items: mgmtIp
github.com/joelwking/ansible-apic-emgithub.com/joelwking/ansible-ios
!!ip name-server vrf management 8.8.8.8!ip http serverip http secure-server!ip access-list extended ACL-AGENT-REDIRECTremark explicitly prevent DNS from being redirected to address a bugdeny udp any any eq domainremark redirect HTTP traffic onlypermit tcp any any eq wwwremark all other traffic will be implicitly denied from the redirectionip access-list extended ACL-ALLOWpermit ip any any!ip access-list extended ACL-DEFAULTremark DHCPpermit udp any eq bootpc any eq bootpspermit udp any any eq domainremark Pingpermit icmp any anyremark PXE / TFTPpermit udp any any eq tftpdeny ip any any log!end
Execute the Playbook in Ansible Tower
mgmtIp
Blog
https://communities.cisco.com/community/developer/blog/2015/07/20/using-apic-em-as-the-single-source-of-truth
Thanks to our sponsors
www.slideshare.net/joelwking
Slides are available at:
"It is no longer about writing 300,000 lines of code. It is about writing as little code as possible to get that rapid speed.“
Tim Vanderham, the head of development for IBM Bluemix and IBM Cloud Marketplace. searchsoa.techtarget.com/feature/Cultivating-the-API-Economy
Cultivating the API Economy