„Software-oriented“ network...
Transcript of „Software-oriented“ network...
1(C) 2010, Petr Grygarek
„„Software-oriented“ network Software-oriented“ network managementmanagement
2(C) 2010, Petr Grygarek
Network AutomationNetwork Automation
Necessary for agility in networking, which is Necessary for agility in networking, which is limited by manual worklimited by manual work
- faster changes (- faster changes (both customer deployments and decomissions)both customer deployments and decomissions)
- more reliable changes – limits human errors- more reliable changes – limits human errors
- scalable changes even over lot of devices- scalable changes even over lot of devices
3(C) 2010, Petr Grygarek
GoalsGoals• Vendor-neutral automation of network Vendor-neutral automation of network
configurationconfiguration
• Present network devices and network to Present network devices and network to automation/orchestration programmer in a way automation/orchestration programmer in a way natural in traditional programmers' worldnatural in traditional programmers' world• (distributed) database with well-known API and (distributed) database with well-known API and
transaction supporttransaction support
• As basic networking concepts are defined for As basic networking concepts are defined for years, stable network service abstractions years, stable network service abstractions can/should be defined nowcan/should be defined now
4(C) 2010, Petr Grygarek
Problems with current Problems with current management methods (1)management methods (1)
• SNMP failed completely as configuration SNMP failed completely as configuration management protocolmanagement protocol• respective MIB objects are not unified across vendors or not respective MIB objects are not unified across vendors or not
defined at alldefined at all
• command ordering problemscommand ordering problems
• lack of atomicity – distributed transactions over multiple deviceslack of atomicity – distributed transactions over multiple devices
• as a result, SNMP is widely used just for network monitoringas a result, SNMP is widely used just for network monitoring
• CLI scripting is mostly used insteadCLI scripting is mostly used instead• the advantage is that a rich set of freely available text-processing the advantage is that a rich set of freely available text-processing
tools can be utilizedtools can be utilized
5(C) 2010, Petr Grygarek
Problems with current Problems with current management methods (2)management methods (2)
• No common data model exists even for basic No common data model exists even for basic configuration elementsconfiguration elements
• e.g. static routese.g. static routes
• Configuration and monitoring data are not Configuration and monitoring data are not clearly separated in MIBsclearly separated in MIBs
6(C) 2010, Petr Grygarek
RFC 3535: Overview of the 2002 Internet RFC 3535: Overview of the 2002 Internet Architecture Board Network Management Architecture Board Network Management
Workshop Workshop
• Summarizes outcomes from IETF workshop Summarizes outcomes from IETF workshop with network operators and protocol developers with network operators and protocol developers focused on network management technologies focused on network management technologies currently being developed in IETFcurrently being developed in IETF
• Identifies common requirements of network Identifies common requirements of network operators for configuration managementoperators for configuration management
7(C) 2010, Petr Grygarek
RFC 3535: Most important requirements RFC 3535: Most important requirements • Ease of useEase of use
• Clear separation between configuration and operation data (state)Clear separation between configuration and operation data (state)
• Configure network as a whole rather than configuring individual Configure network as a whole rather than configuring individual devicesdevices• distributed transactions support – atomic update of configuration on multiple devicesdistributed transactions support – atomic update of configuration on multiple devices
• Standard database scheme - data model common for all vendorsStandard database scheme - data model common for all vendors
• Proper operation ordering to get from state A to state B to be Proper operation ordering to get from state A to state B to be implemented inside managed device, not handled by NMSimplemented inside managed device, not handled by NMS
• Configuration backup Configuration backup & restore, provide the complete config at & restore, provide the complete config at once & paste to another device. Easy comparison of configurations.once & paste to another device. Easy comparison of configurations.
• Text-based configurations – allows usage of tools like diff, CVS etc.Text-based configurations – allows usage of tools like diff, CVS etc.
• Multiple configuration datastores support: decouple configuration Multiple configuration datastores support: decouple configuration transfer to managed device from its actual activationtransfer to managed device from its actual activation
8(C) 2010, Petr Grygarek
NetConf and YANGNetConf and YANGThe model stems from best practices obtained during years of operating networks The model stems from best practices obtained during years of operating networks
using CLI scripting and SNMP and using CLI scripting and SNMP and conforms with RFC 3535conforms with RFC 3535 • NetConf NetConf
• domain specific protocol for configuration managementdomain specific protocol for configuration management
• remote primitives to edit configuration on managed device(s) by manipulating remote primitives to edit configuration on managed device(s) by manipulating respective data modelrespective data model
• YANGYANG• A data modelling language that describes individual configuration elements in A data modelling language that describes individual configuration elements in
vendor-independent manner (both semantics and exact data encoding)vendor-independent manner (both semantics and exact data encoding)
• Each managed device can provide supported data models that fully specify Each managed device can provide supported data models that fully specify how to manage ithow to manage it
NetConf messages contains payload formatted according to YANG NetConf messages contains payload formatted according to YANG specification for respective configuration element to be read or specification for respective configuration element to be read or manipulated manipulated
9(C) 2010, Petr Grygarek
Dynamic nature of device's Dynamic nature of device's configuration modelsconfiguration models
• When network management system (NMS) When network management system (NMS) establishes NetConf session with managed device, establishes NetConf session with managed device, device sends Hello with a list of its „capabilities“ - device sends Hello with a list of its „capabilities“ - supported YANG models (both standard or vendor supported YANG models (both standard or vendor specific)specific)
• Netconf client can then download particular YANG Netconf client can then download particular YANG model from managed device (get-schema NetConf model from managed device (get-schema NetConf command) and configure the device according to command) and configure the device according to syntax/semantics specified theresyntax/semantics specified there
10(C) 2010, Petr Grygarek
NetConfNetConfBase specifications:Base specifications:
RFC 6241: Network Configuration Protocol (NETCONF)RFC 6241: Network Configuration Protocol (NETCONF)
Some extensions:Some extensions:
• RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)
• RFC 6470: Network Configuration Protocol (NETCONF) Base RFC 6470: Network Configuration Protocol (NETCONF) Base NotificationsNotifications
• RFC 6022: YANG Module for NETCONF MonitoringRFC 6022: YANG Module for NETCONF Monitoring
• ......
11(C) 2010, Petr Grygarek
NetConf Basic FeaturesNetConf Basic Features• Separates configuration and operation dataSeparates configuration and operation data
• Client-server architectureClient-server architecture• NMS act as a NetConf client, managed device is a NetConf NMS act as a NetConf client, managed device is a NetConf serverserver
• Implemented using layered modelImplemented using layered model
• Support multiple configuration datastores on managed devicesSupport multiple configuration datastores on managed devices• running / candidate / startup config. running / candidate / startup config.
• running config may not be directly writable.running config may not be directly writable.
• Configuration validation before commitConfiguration validation before commit
• Transactions over multiple managed devicesTransactions over multiple managed devices
• Selective configuration/operation data retrieval (filtering)Selective configuration/operation data retrieval (filtering)
• Notification events Notification events • streaming & playback of events of specified typestreaming & playback of events of specified type
Complexity is pushed from network management system to managed devicesComplexity is pushed from network management system to managed devices
12(C) 2010, Petr Grygarek
Transactions in NetConf (1)Transactions in NetConf (1)Adheres traditional ACID properties:Adheres traditional ACID properties:
• Atomicity – performs all or nothing if something failsAtomicity – performs all or nothing if something fails
• Consistency - all operations specified in any order will Consistency - all operations specified in any order will be done at once in order that makes sense for managed be done at once in order that makes sense for managed devicedevice
• Independence - concurrent clients operate in parallel, Independence - concurrent clients operate in parallel, transactions are serialized internallytransactions are serialized internally
• Durability - done is doneDurability - done is done
13(C) 2010, Petr Grygarek
Transactions in NetConf (2)Transactions in NetConf (2)• NMS is freed from complexity of „undoing“ partially successful NMS is freed from complexity of „undoing“ partially successful
actions (rollbackactions (rollback))
• compare with standardized SQL compare with standardized SQL with transaction supportwith transaction support
• huge saving of error handling code in NMShuge saving of error handling code in NMS
• Consistency feature guarantees that NMS does not need to define Consistency feature guarantees that NMS does not need to define operations in particular order (e.g. creation of interface does not have operations in particular order (e.g. creation of interface does not have to precede adding route via new interface in edit-config message) – to precede adding route via new interface in edit-config message) – managed device is responsible for proper ordering if it is neededmanaged device is responsible for proper ordering if it is needed
• Possibility to validate candidate configuration is a pre-requisite of Possibility to validate candidate configuration is a pre-requisite of commiting a distributed transaction (followed by candidate config commiting a distributed transaction (followed by candidate config activation on all devices)activation on all devices)
• Confirmed commit causes managed device to rollback automatically if Confirmed commit causes managed device to rollback automatically if second (confirming) commit is not sent in specified timeout or second (confirming) commit is not sent in specified timeout or management connection is brokenmanagement connection is broken
14(C) 2010, Petr Grygarek
NetConf Layered ModelNetConf Layered Model
• TCPTCP
• SSHSSH/TLS + certificates/TLS + certificates• also handles authentication and contents encryptionalso handles authentication and contents encryption
• Remote Procedure Call semanticsRemote Procedure Call semantics
• Netconf commands and notifications (in XML) Netconf commands and notifications (in XML)
• Netconf commands payload (formatted Netconf commands payload (formatted according to respective YANG model)according to respective YANG model)
15(C) 2010, Petr Grygarek
NetConf Messages (1)NetConf Messages (1)- Remote procedure call (RPC) paradigm- Remote procedure call (RPC) paradigm
- Messages are encoded in XML- Messages are encoded in XML
• get – reads either configuration or operational dataget – reads either configuration or operational data
• get-config – reads configuration dataget-config – reads configuration data• optional support for XPATH filteringoptional support for XPATH filtering
• edit-config – update part of configurationedit-config – update part of configuration• operations: merge, replace, create, delete / removeoperations: merge, replace, create, delete / remove
• defines how a configuration section will be combined with existing configdefines how a configuration section will be combined with existing config
• test-options: test-then-set (default), set, test-only (validation)test-options: test-then-set (default), set, test-only (validation)
• error-options: stop-on-error (default), continue-on-error, rollback-on-errorerror-options: stop-on-error (default), continue-on-error, rollback-on-error
• copy-config – copy config data between datastores, e.g. run to start copy-config – copy config data between datastores, e.g. run to start
• delete-config – delete entire configuration on a specified datastoredelete-config – delete entire configuration on a specified datastore
16(C) 2010, Petr Grygarek
NetConf Messages (2)NetConf Messages (2)
• lock, unlock – lock specified datastore for exclusive accesslock, unlock – lock specified datastore for exclusive access
• optional partial lockoptional partial lock
• close session - closes management session gracefullyclose session - closes management session gracefully
• kill-session - closes management session forcefullykill-session - closes management session forcefully
• commit – copies candidate datastore to running configcommit – copies candidate datastore to running config
• discard-changes – deletes changes in candidate datastorediscard-changes – deletes changes in candidate datastore
• cancel-commit – abort a confirmed commit cancel-commit – abort a confirmed commit
• Confirmed commit: 2Confirmed commit: 2ndnd commit in specified timeout is commit in specified timeout is needed, otherwise rollback occurs needed, otherwise rollback occurs
• get-schema (RFC 6022) – get contents of particular YANG get-schema (RFC 6022) – get contents of particular YANG module listed in device's capabilitiesmodule listed in device's capabilities
17(C) 2010, Petr Grygarek
How to play with NetConf ?How to play with NetConf ?
• Netconf browser Netconf browser • GUI that establishes SSH session to Netconf server GUI that establishes SSH session to Netconf server
and provides tools to send individual NetConf and provides tools to send individual NetConf commands with specified payloadcommands with specified payload
• various NetConf browsers (both free and various NetConf browsers (both free and commercial) are availablecommercial) are available
• netconf-console utilitynetconf-console utility• same as the above but in command line stylesame as the above but in command line style
• Python ncclient libraryPython ncclient library
18(C) 2010, Petr Grygarek
YANGYANG(„Yet Another Next Generation“)(„Yet Another Next Generation“)
• Data modelling languageData modelling language• not an information modelling langauage (like UML) as it also describes not an information modelling langauage (like UML) as it also describes
implementation details (protocol-specific constructs, data representation on implementation details (protocol-specific constructs, data representation on wire, …) - not just a conceptual model (see RFC 3444)wire, …) - not just a conceptual model (see RFC 3444)
• … … which is why XML-based modelling languages were rejected which is why XML-based modelling languages were rejected and new language had to be specifiedand new language had to be specified
• RFC 6020 - YANG - A Data Modeling Language for the Network RFC 6020 - YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)Configuration Protocol (NETCONF)
• RFC 7950 - The YANG 1.1 Data Modeling LanguageRFC 7950 - The YANG 1.1 Data Modeling Language
• In principle, data modes corresponds to device APIIn principle, data modes corresponds to device API
• NetConf, RESTConf and any other RPC-style remote management NetConf, RESTConf and any other RPC-style remote management protocols' commands can be autogenerated equally easillyprotocols' commands can be autogenerated equally easilly
19(C) 2010, Petr Grygarek
YANG Data ModelYANG Data Model• Abstraction of (part of) network configurationAbstraction of (part of) network configuration
• Defines configuration data or operation state Defines configuration data or operation state data (curent status, statistics, historical trends)data (curent status, statistics, historical trends)
• Tree structureTree structure
• Resource are identified by paths in the treeResource are identified by paths in the tree
• Instances of schema trees are called data trees Instances of schema trees are called data trees and are encoded in XML and are encoded in XML
Configuration is represented in hierarchical text-Configuration is represented in hierarchical text-oriented format which is advantageous for its oriented format which is advantageous for its further automated processingfurther automated processing
20(C) 2010, Petr Grygarek
YANG ModulesYANG Modules
• Module = group of definitionsModule = group of definitions
• Every module has an unique namespaceEvery module has an unique namespace
• Module structure:Module structure:• header infoheader info
• imports/includesimports/includes
• type definitionstype definitions
• config & operational data definitionsconfig & operational data definitions
• action (RPC functions) and notification declarationsaction (RPC functions) and notification declarations
21(C) 2010, Petr Grygarek
Basic YANG Language Constructs (1)Basic YANG Language Constructs (1)• Leaf nodes:Leaf nodes:
• Leaf = actual variable (at most one instance)Leaf = actual variable (at most one instance)
• LeafList = list of leafs (may have multiple instances)LeafList = list of leafs (may have multiple instances)
• Non-leaf nodes:Non-leaf nodes:
• Container = set of leaf or non-leaf nodes. At most one instance.Container = set of leaf or non-leaf nodes. At most one instance.
• List = like Container but may have multiple instances („container-List = like Container but may have multiple instances („container-list“)list“)
• key item defines unique (indexing) itemkey item defines unique (indexing) item
• other items may be also defined as uniqueother items may be also defined as unique
• Navigating in lists: /myList[name=‘Adam‘]/age = 32 Navigating in lists: /myList[name=‘Adam‘]/age = 32
• Leafref = reference to another existing leafLeafref = reference to another existing leaf
• Path or Xpath expressionPath or Xpath expression
22(C) 2010, Petr Grygarek
Basic YANG Language ConstructsBasic YANG Language Constructs (2) (2)
• All leafs can be either R/W (config:true is default attribute) or R/OAll leafs can be either R/W (config:true is default attribute) or R/O
• Leaf with config:false is not provided by get_config()Leaf with config:false is not provided by get_config()
• Every element has a description field Every element has a description field => YANG modules are self-documenting => YANG modules are self-documenting
23(C) 2010, Petr Grygarek
Common YANG Data TypesCommon YANG Data Types(RFC 6991)(RFC 6991)
• intN, uintN, decimal164=floatintN, uintN, decimal164=float
• stringstring
• enumenum
• bits = bit arraybits = bit array
• binary = BLOBbinary = BLOB
• leafref, identityref leafref, identityref
• typedef, union – like in Ctypedef, union – like in C
ietf-yang-types: - networking & SNMP-like data types ietf-yang-types: - networking & SNMP-like data types (ip addresses, counter, gauge, …)-(ip addresses, counter, gauge, …)-
Allowed values can be further restricted using range, length, Allowed values can be further restricted using range, length, pattern (regexp) and similar keywordspattern (regexp) and similar keywords
24(C) 2010, Petr Grygarek
YANG: Leaf Definition SyntaxYANG: Leaf Definition Syntaxleaf L {leaf L {
type ttt;type ttt;
mandatory true/false;mandatory true/false;
config true/false;config true/false;
default: value;default: value;
description „xxx“;description „xxx“;
units U; // for displaying purposes onlyunits U; // for displaying purposes only
must <Xpath boolean constraint> must <Xpath boolean constraint>
// Tool to enforce semantics consistency, checks relations with values in other leafs// Tool to enforce semantics consistency, checks relations with values in other leafs
// All xPath 1.0 operators are allowed in the expression // All xPath 1.0 operators are allowed in the expression
when <Xpath expr> // leaf L can be used only if Xpath expression is truewhen <Xpath expr> // leaf L can be used only if Xpath expression is true
}}
25(C) 2010, Petr Grygarek
YANG: Leaf-list Definition SyntaxYANG: Leaf-list Definition Syntax
leaf-list xxx {leaf-list xxx {
type ttt;type ttt;
}}
26(C) 2010, Petr Grygarek
YANG: Container Definition YANG: Container Definition SyntaxSyntax
container CCC {container CCC {
leaf item1 { type ttt1 ];leaf item1 { type ttt1 ];
leaf item2 { type ttt2 ];leaf item2 { type ttt2 ];
container item3{ ... ];container item3{ ... ];
}}
27(C) 2010, Petr Grygarek
Presence containersPresence containers
container ssh {container ssh {
presence „enables ssh“presence „enables ssh“
}}
creation of this container by NMS starts ssh creation of this container by NMS starts ssh service on managed device (as an usage example)service on managed device (as an usage example)
28(C) 2010, Petr Grygarek
YANG: List Definition SyntaxYANG: List Definition Syntaxlist users {list users {
key “login-name”; // must be present key “login-name”; // must be present if config=True if config=True
leaf login-name {leaf login-name {
type string;type string;
}}
[unique] leaf full-name { [unique] leaf full-name {
type string;type string;
}}
optional specs:optional specs: max-elements, min-elements, order-by, … max-elements, min-elements, order-by, …
}}
29(C) 2010, Petr Grygarek
RPC ActionsRPC ActionsTriggered by NMSTriggered by NMS
Example action: activate_software_imageExample action: activate_software_image
rpc xxx {rpc xxx {
input {input {
type_definitiontype_definition
}}
output {output {
type_definitiontype_definition
}}
}}
30(C) 2010, Petr Grygarek
RPC NotificationsRPC NotificationsNetConf client can subscribe to receive NetConf client can subscribe to receive notifications of specific type or ask NetConf notifications of specific type or ask NetConf server to playback notifications of some typeserver to playback notifications of some typenotification config_changed {notification config_changed {
description Configuration changes logging eventdescription Configuration changes logging event
leaf who {leaf who {
type string;type string;
}}
leaf what {leaf what {
type string;type string;
}}
}}
31(C) 2010, Petr Grygarek
GroupingsGroupings
grouping = reusable subtree structuregrouping = reusable subtree structure
grouping GGG { grouping GGG {
……
}}
container CCC {container CCC {
uses GGG {uses GGG {
refine GGGitemX { definition_changed }refine GGGitemX { definition_changed }
}}
}}
32(C) 2010, Petr Grygarek
AugmentingAugmenting
• Way of one module to „hook“ itself to another Way of one module to „hook“ itself to another module module
• For example, additional leaf can be added to For example, additional leaf can be added to existing container definition and create a new existing container definition and create a new typetype
• Transparent to Netconf clientTransparent to Netconf client
33(C) 2010, Petr Grygarek
IdentitiesIdentities
• Advanced enums: hierarchical, extensibleAdvanced enums: hierarchical, extensible
• Type identityref: refers to base typeType identityref: refers to base type• all descendant values are also OKall descendant values are also OK
34(C) 2010, Petr Grygarek
FeaturesFeaturesConditional extension of data model based on Conditional extension of data model based on availability of some „feature“availability of some „feature“
Features provided by Netconf server are present in Features provided by Netconf server are present in Hello messageHello messagefeature myFeat {feature myFeat {
description DDDdescription DDD
}}
container logging {container logging {
if-feature myFeat;if-feature myFeat;
… … entries to be included only if meFeat existsentries to be included only if meFeat exists
}}
35(C) 2010, Petr Grygarek
YANG in practiceYANG in practice
pyang command-line utilitypyang command-line utility
• displays YANG model file graphically (tree)displays YANG model file graphically (tree)
• text, XML, ...text, XML, ...
• or just a particular model subtree starting at or just a particular model subtree starting at specified level specified level
• YANG format/syntax validationYANG format/syntax validation
• Cisco YDK – generates code with classes Cisco YDK – generates code with classes (Python/C++) based on particular YANG (Python/C++) based on particular YANG modelmodel
36(C) 2010, Petr Grygarek
Standardized YANG data modelsStandardized YANG data models• IETFIETF
• official, long formal approval processofficial, long formal approval process
• https://github.com/YangModels/yanghttps://github.com/YangModels/yang
• OpenConfigOpenConfig• more agile, but sometimes multiple approved models more agile, but sometimes multiple approved models
for the same for the same functionalityfunctionality exist in exist in parallelparallel• http://www.openconfig.nethttp://www.openconfig.net
• ITU, IEEE, ETSI, MEF, …ITU, IEEE, ETSI, MEF, …
• Native modelNative model – some vendors expose their own (nonstandard) model for – some vendors expose their own (nonstandard) model for the device natural to device's config logics the device natural to device's config logics
• Sometimes they expose standard model with limited capabilites in parallelSometimes they expose standard model with limited capabilites in parallel
37(C) 2010, Petr Grygarek
YANG Model CatalogYANG Model Catalog
• http://www.yangcatalog.org/http://www.yangcatalog.org/
38(C) 2010, Petr Grygarek
Useful references for NetConf and YangUseful references for NetConf and Yang• NETCONF and YANG Tutorial part 1a: NETCONF and YANG Overview NETCONF and YANG Tutorial part 1a: NETCONF and YANG Overview
• https://www.youtube.com/watch?v=Vr4kB1_6fLQ https://www.youtube.com/watch?v=Vr4kB1_6fLQ
• NETCONF and YANG Tutorial Part 1b: Relation to SDNNETCONF and YANG Tutorial Part 1b: Relation to SDN
• https://www.youtube.com/watch?v=m6spTjQyTEohttps://www.youtube.com/watch?v=m6spTjQyTEo
• NETCONF and YANG Tutorial Part 2: NETCONFNETCONF and YANG Tutorial Part 2: NETCONF
• https://www.youtube.com/watch?v=xoPZO1N-x38#t=35.357354https://www.youtube.com/watch?v=xoPZO1N-x38#t=35.357354
• NETCONF YANG Tutorial Part 3: YANG NETCONF YANG Tutorial Part 3: YANG
• https://www.youtube.com/watch?v=33VBb6N4yOYhttps://www.youtube.com/watch?v=33VBb6N4yOY
• BRKNMS-2032 - YANG Data Modeling and NETFCONFBRKNMS-2032 - YANG Data Modeling and NETFCONF• https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93815https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93815
• Tail-F Systems technology brief: Instant YANGTail-F Systems technology brief: Instant YANG• http://www.tail-f.com/wordpress/wp-content/uploads/2014/02/Tail-f-Instant-YANG.pdfhttp://www.tail-f.com/wordpress/wp-content/uploads/2014/02/Tail-f-Instant-YANG.pdf
• Test workbench: 2x CSR1000V in VirtualBox with VagrantTest workbench: 2x CSR1000V in VirtualBox with Vagrant
• http://gitlab.cisco.com/rschmied/dp-workbenchhttp://gitlab.cisco.com/rschmied/dp-workbench
39(C) 2010, Petr Grygarek
REST APIsREST APIs
• Not a standard, just a design principle (CRUID)Not a standard, just a design principle (CRUID)
• Resources identified by URLsResources identified by URLs
• HTTP operationsHTTP operations
• XML/JSON encoded dataXML/JSON encoded data
40(C) 2010, Petr Grygarek
RESTConf RESTConf (RFC 8040)(RFC 8040)
• Lightweight HTTP API for NETCONF datastoresLightweight HTTP API for NETCONF datastores
• Limited functionality compared to NetConfLimited functionality compared to NetConf• REST =REST => operates on single resource at a time only, no transactions, no locking> operates on single resource at a time only, no transactions, no locking
• always operates on running config always operates on running config
• Get/Post/Patch/Delete HTTP commmands to edit resources Get/Post/Patch/Delete HTTP commmands to edit resources represented as YANG modelsrepresented as YANG models
• Configuration data in JSON/XMLConfiguration data in JSON/XML
• Supported operations defined in YANGSupported operations defined in YANG• Defines method (URL) to get supported YANG module list (corresponds to Defines method (URL) to get supported YANG module list (corresponds to
NetConf capabilities in Hello message)NetConf capabilities in Hello message)
• URL to get individual YANG module contents (corresponds to NetConf get-URL to get individual YANG module contents (corresponds to NetConf get-schema command)schema command)
• Support for W3C server-sent events (corresponds to NetConf Support for W3C server-sent events (corresponds to NetConf notifications)notifications)
41(C) 2010, Petr Grygarek
Infrastructure Orchestration Infrastructure Orchestration ToolsTools
42(C) 2010, Petr Grygarek
AnsibleAnsible• Automation language + automation engineAutomation language + automation engine
• Managing applicatioins, OSes, virtialization infrastructure, networkManaging applicatioins, OSes, virtialization infrastructure, network
• Open source, freely availableOpen source, freely available
• Control machine (Linux) + agentless managed devicesControl machine (Linux) + agentless managed devices
• Managed device as to provide SSH server capability + Python Managed device as to provide SSH server capability + Python interpreterinterpreter
• Control machine communicates over SSH, installs Python Control machine communicates over SSH, installs Python scriptsscripts
• Alternatively, local mode can be utilized for managed devices without Alternatively, local mode can be utilized for managed devices without SSH server capabilitySSH server capability
• agent runs on control machine and communicates with managed agent runs on control machine and communicates with managed device by alternative means (e.g. REST API)device by alternative means (e.g. REST API)
43(C) 2010, Petr Grygarek
Ansible ComponentsAnsible Components• InventoryInventory
• list of managed deviceslist of managed devices
• variables associated to individual devicesesvariables associated to individual deviceses
• device groupsdevice groups
• ModulesModules• Python scripts to implement particular task on some Python scripts to implement particular task on some
platformplatform
• Roughly correspond to device driversRoughly correspond to device drivers
• PlaybooksPlaybooks• Controls what tasks should be done (using modules)Controls what tasks should be done (using modules)
44(C) 2010, Petr Grygarek
Ansible InventoriesAnsible Inventories
• List of managed devicesList of managed devices
• ini-file format (group names in ini-file format (group names in []):[]):[MYHOSTS][MYHOSTS]
R1.example.comR1.example.com
R2.example.com ansible_port=2222 // overrides value in [MYHOSTS:vars]R2.example.com ansible_port=2222 // overrides value in [MYHOSTS:vars]
MYHOSTS:vars]MYHOSTS:vars]
ansible_port=2222 ansible_port=2222
• Host may belong to multiple groupsHost may belong to multiple groups
• Host variables defined directly in inventory file or separately in per-host files Host variables defined directly in inventory file or separately in per-host files (host_vars/per-host-file)(host_vars/per-host-file)
• e.g. credentails pro jednotlivá managed devicese.g. credentails pro jednotlivá managed devices
• Multiple hosts can be defined using „range“ construct: SQLhost[01:04]Multiple hosts can be defined using „range“ construct: SQLhost[01:04]
• Dynamic inventory: content obtained e.g. from LDAPDynamic inventory: content obtained e.g. from LDAP
45(C) 2010, Petr Grygarek
Ansible ModulesAnsible Modules• Module is a script to accomplish a particular taskModule is a script to accomplish a particular task
• Written in Python by Ansible definition Written in Python by Ansible definition
• PowerShell can be used to manage Windows devicesPowerShell can be used to manage Windows devices
• technically, any scripting language could be usedtechnically, any scripting language could be used
• Normally runs on Normally runs on managed devicemanaged device
• ssh access to managed device,ssh access to managed device,
• copy of Python script, run, cleanupcopy of Python script, run, cleanup
• Optionally runs in local modeOptionally runs in local mode
• for managed devices without SSH server and/or Python interpreterfor managed devices without SSH server and/or Python interpreter
• Lot of network devicesLot of network devices
• runs on control serverruns on control server
• SSH to managed box using Python/Paramiko SSH implementationSSH to managed box using Python/Paramiko SSH implementation
• Starts local commands on managed device via SSH sessionStarts local commands on managed device via SSH session
• Alternatively uses API calls to managed deviceAlternatively uses API calls to managed device
46(C) 2010, Petr Grygarek
Ansible PlaybooksAnsible Playbooks
• Controls execution of tasks (utilizing modules)Controls execution of tasks (utilizing modules)
• Consists of one or multiple PlaysConsists of one or multiple Plays
• Each Play defines devices (groups) to perform Each Play defines devices (groups) to perform tasks on and which tasks (modules) to start (plus tasks on and which tasks (modules) to start (plus respective parameters)respective parameters)
• Vendor-agnostic – limited vendor lock inVendor-agnostic – limited vendor lock in
• vendor specific functionality is contained in vendor specific functionality is contained in Ansible modulesAnsible modules
• YAML formatYAML format
47(C) 2010, Petr Grygarek
Playbook structurePlaybook structure
namename
hosts group to run playbook onhosts group to run playbook on
vars: section - variable definition vars: section - variable definition
tasks: section tasks: section – modules to be run, variables can be utilized here – modules to be run, variables can be utilized here
{{ inventory{{ inventory_hostname }} _hostname }}
- represents currently processed host- represents currently processed host
48(C) 2010, Petr Grygarek
Ansible VariablesAnsible Variables• Contains parameters of individual managed nodesContains parameters of individual managed nodes
• defined in inventorydefined in inventory
• May also be defined in playbookMay also be defined in playbook
• May be also passed from command lineMay be also passed from command line
• Jinja2 format: {{ myVar }}Jinja2 format: {{ myVar }}• in YAML file in quotesin YAML file in quotes
• Facts = special type of variables with values obtained Facts = special type of variables with values obtained from managed device before a playbook is runfrom managed device before a playbook is run• using “setup” module/script to be run against managed using “setup” module/script to be run against managed
device)device)
49(C) 2010, Petr Grygarek
Ansible TemplatesAnsible Templates
• Utilizes Jinja2 templating engineUtilizes Jinja2 templating engine
• Renders output text based on template and Renders output text based on template and parameters to be iterated throughparameters to be iterated through
• Template can contain conditional inclusion of Template can contain conditional inclusion of text and iterationstext and iterations
• Contains control tags like Contains control tags like {% if … %}, {% if … %}, {% else {% else %} and {% endif %}%} and {% endif %}
50(C) 2010, Petr Grygarek
Usage of Templates in Ansible Usage of Templates in Ansible PlaybookPlaybook
tasks:tasks:
name: aDemoTask name: aDemoTask
template: example.jinjatemplate: example.jinja
with items: <parameters to be passed to template>with items: <parameters to be passed to template>
51(C) 2010, Petr Grygarek
Ansible-vaultAnsible-vault
• Encrypts playbook with a password that has to Encrypts playbook with a password that has to be provided when playbook has to be runbe provided when playbook has to be run
• Useful e.g. not to expose passwords hardcoded Useful e.g. not to expose passwords hardcoded in the playbookin the playbook
52(C) 2010, Petr Grygarek
YAMLYAMLYet Another Markup LanguageYet Another Markup Language
• Simple text format, easy to understandSimple text format, easy to understand
• YAML file starts with YAML file starts with ---, ends with … ---, ends with …
• Structure defined by identation (like in Structure defined by identation (like in Python)Python)
• Lists & DictionariesLists & Dictionaries
• Online YAML validator: Online YAML validator: http://www.yamllint.comhttp://www.yamllint.com
53(C) 2010, Petr Grygarek
YAML Syntax ExampleYAML Syntax Example
Fruits: Fruits:
- apple- apple
- orange- orange
- plum- plum
Honza:Honza:
Name: Jan NovakName: Jan Novak
Job: programmerJob: programmer
Skills: goodSkills: good
54(C) 2010, Petr Grygarek
Running AnsibleRunning Ansible
• ansible <parameters>ansible <parameters>• manual ad-hoc start of command/modulemanual ad-hoc start of command/module
• ansible-playbook -I <inventory-file> ansible-playbook -I <inventory-file> playbook.ymlplaybook.yml
• dry run: no changes actually done, just displays dry run: no changes actually done, just displays actions to be doneactions to be done• parameter -Cparameter -C
55(C) 2010, Petr Grygarek
ReferencesReferences
https://www.ansible.com/quick-start-videohttps://www.ansible.com/quick-start-video
http://docs.ansible.com/ansible/glossary.htmlhttp://docs.ansible.com/ansible/glossary.html
http://docs.ansible.com/ansiblehttp://docs.ansible.com/ansible