TIAD 2016 : Network automation with Ansible and OpenConfig/YANG
Ask an Expert: Ansible Network Automation an Expert...network management protocol developed and...
Transcript of Ask an Expert: Ansible Network Automation an Expert...network management protocol developed and...
Sean CavanaughTechnical Marketing ManagerRed Hat Ansible [email protected]@IPvSean
Ask an Expert: Ansible Network Automation
Iftikhar KhanSenior Manager, Engineering TeamRed Hat Ansible [email protected]@ifty_k
For more information or to register visit: ansible.com/automates
Tampa, FL
November 14, 2018
New York, NY
December 4, 2018
Nashville, TN
October 25, 2018
For more information or to register visit: ansible.com/workshops
Portland, OR
November 6, 2018
Houston, TX
November 7, 2018
Rochester
November 7, 2018
NETWORKING WORKSHOP NETWORKING WORKSHOP NETWORKING WORKSHOP
WHAT WE’RE TALKING ABOUT TODAY
httpapinet_get and net_putnew netconf modulescli_command and cli_config
New Tower 3.3 UI ImprovementsTower Credential Management for Network DevicesCustom Ansible Environment Support for Ansible Tower
Ansible Network RolesQ/A with Ifty and Sean
httpapi connection plugin● New top level connection method available on Ansible 2.6 and later
● To invoke use connection: httpapi
● Initially supports○ Cisco Nexus NX-API for the NX-OS platform ○ Arista eAPI for the EOS platform
● The httpapi method is implied by the ansible_network_os
Networking Platform ansible_network_os httpapi method
Arista EOS ansible_network_os=eos eAPI
Cisco NX-OS ansible_network_os=nxos NX-API
httpapi connection plugin example---- name: httpapi Playbook hosts: leaf01 connection: httpapi gather_facts: false tasks: - name: type a simple arista command eos_command: commands: - show version | json register: command_output
- name: print command output to terminal window debug: var: command_output.stdout[0]["version"]
net_get and net_put● agnostic network modules
● requires connection: network_cli type
● Support SCP or SFTP transfer protocols
● Requires scp installed and enabled on control and target nodes
net_get and net_put example---- name: PLAYBOOK SHOWCASING NET_GET AND NET_PUT hosts: leaf01 connection: network_cli gather_facts: false tasks: - name: COPY FILE FROM THE NETWORK DEVICE TO ANSIBLE CONTROLLER net_get: src: running_cfg_eos1.txt
- name: COPY FILE FROM THE ANSIBLE CONTROLLER TO THE NETWORK DEVICE net_put: src: temp.txt
netconf● network management protocol developed and standardized by the IETF
● alternative to SSH command line (network_cli) and device APIs (httpapi)
● Three netconf specific modules
○ netconfg_get - fetch configuration/state data from NETCONF enabled network devices
○ netconf_rpc - execute operations on NETCONF enabled network devices
○ netconf_config - netconf device configuration, module allows the user to send a configuration XML file to a netconf device, and detects if there was a configuration change.
netconf - converting RPC to a Playbook<rpc> <get-interface-information> <interface-name>ge-2/3/0</interface-name> <detail/> </get-interface-information></rpc>]]>]]> - name: GET INTERFACE INFO netconf_rpc: display: json rpc: get-interface-information content: interface-name: "em1.0"
---- name: RUN A NETCONF COMMAND hosts: juniper gather_facts: no connection: netconf
tasks:
- name: GET INTERFACE INFO netconf_rpc: display: json rpc: get-interface-information content: interface-name: "em1.0" register: netconf_info
netconf - full example
cli_command and cli_config● agnostic network modules, available Ansible 2.7 and later
● requires connection: network_cli type
[cisco]rtr1 ansible_host=54.201.149.175 rtr2 ansible_host=34.222.129.140 rtr3 ansible_host=34.219.120.71
[cisco:vars]ansible_user=adminansible_network_os=ios
[arista]leaf01 ansible_host=34.217.176.5leaf02 ansible_host=34.217.176.6
[arista:vars]ansible_user=adminansible_network_os=eos
ansible_network_os identifies operating system and plugins to use
Networking Inventory
---- name: AGNOSTIC PLAYBOOK hosts: cisco gather_facts: no connection: network_cli tasks:
- name: CONFIGURE DNS cli_config: config: ip name-server 8.8.8.8
- name: CHECK CONFIGURATION cli_command: command: show run | i ip name-server register: cisco_output
cli_* - full example
What is Tower?
Ansible Tower is an enterprise framework for controlling, securing and managing your Ansible automation with a UI and RESTful API.
Red Hat Ansible Tower
https://www.ansible.com/tower
Red Hat Ansible Tower● When would I need Tower vs the command-line Ansible?
○ When 2 or more people start using the same Playbooks in their organization.
○ When I need a central point of execution ○ When I need an API to control my Playbooks○ When I need integrations with TACACS+, RADIUS, SAML, AD○ When I am doing more than just networks
● How do I get started?○ Free Workshops, Free Trials (Linux, Vagrant, AWS EC2)○ Red Hat Global Learning Services: https://red.ht/2jVOvNg
New Tower 3.3 UI Improvements
Credentials
Orgs, Users and Teams
Notifications
Get more things done,with less clicks!
More Top Level Info under Jobs
Who launched this job
When the job was launched
What the job was launched against
Network Credential Management
● Treat network devices just like servers!
● SSH keys or username/pass
● Utilizing AES-256 in CBC mode alongside a SHA-256 HMAC.
Ansible Environment
● More flexibility
● Control which version of Ansible on a per-Job basis
● No more locking of Tower to specific Engine release
https://galaxy.ansible.com/ansible-network
Ansible Network Roles
Network Activities for Operators
● Distributed through Ansible Galaxy
● Data driven workflows for performing network operator tasks
● Extensible and adaptable for any platform, any device
● Fully Supported through your Red Hat Subscription
cloud_vpn - Network RolePurpose Providers Ansible Version
Agnostic role for creating IPSEC VPN tunnels between two clouds or endpoints.
Cloud: AWS, Azure, OpenStackEndPoints:AWS VPN, VyOS, Cisco CSR, RHEL, CentOS
2.6+
Functions Example
● create_vpn● delete_vpn
- include_role: name: ansible-network.cloud_vpn
- include_role: name: ansible-network.cloud_vpn tasks_from: delete_vpn
https://galaxy.ansible.com/ansible-network/cloud_vpn
Cisco CSR on AWS RHEL on Azure
VPN
config_manager - Network RolePurpose Providers Ansible Version
platform agnostic approach tomanaging the active (running) configuration file on network devices
VyOS, Junos OS, Arista EOS, Cisco IOS, IOS-XR, IOS-XE, NX-OS
2.6+
Functions Example
● get● load● save
---- hosts: network gather_facts: false roles: - name ansible-network.config_manager function: get
https://galaxy.ansible.com/ansible-network/config_manager
Cisco IOS-XE
Juniper Junos
Arista EOS
yang - Network RolePurpose Providers Ansible Version
platform agnostic approach tomanaging the active (running) configuration file on network devices
Cisco IOS-XR and Juniper Junos 2.6.2+
Functions Example
● configure● spec● fetch
- hosts: iosxr connection: netconf gather_facts: false tasks: - name: include yang role include_role: name: ansible-network.yang tasks_from: fetch
https://galaxy.ansible.com/ansible-network/yang
Cisco IOS-XE
Juniper Junos
25
github.com/network-automation
facebook.com/ansibleautomation
twitter.com/ansible